How to find spam mailing script location in whm cpanel


If you want to locate the spam mailing script in your whm cpanel server you have run some ssh command.

First you have to find out which script/file in your server is sending most of the abusing emails.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

You will find something like this

2 /home/site1/public_html/contact
4 /home/site2/public_html
8932 /home/site3/public_html/file_2014

Now you can understand that /home/site3/public_html/file_2014 this is sending the most of the abusing emails. Now write the command below

ls -lahtr /site3/public_html/file_2014

you will find something like this

drwxr-xr-x 17 site3 site3 4.0K Feb 20 10:25 ../
-rw-r–r– 1 site3 site3 5.6K Feb 20 11:27 emailer.php
drwxr-xr-x 2 site3 site3 4.0K Feb 20 11:27 ./

Now you find out that emailer.php script of your site3 is doing the harm for you and you have to take care of that script.

Now see which Ip addresses are accessing the script by using the following command.

grep "mailer.php" /home/site3/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n

2 123.153.123.123
4 113.123.123.122
3 123.123.123.121
8932 123.124.123.113

We can see the IP address 123.124.123.113 was using our mailer script in a malicious nature.

If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again.

This can be accomplished with the following command:

apf -d 123.124.123.113 "Spamming from script in /home/site3/public_html/file_2014"
, , ,

Leave a Reply