What Script Is Sending Spam On My Server

Spam or unsolicited email is a huge problem for anyone with a server, it is estimated that around 90% of all email worldwide is junk mail. Spammers can have a negative impact on your server in many ways included consuming all server resources resulting in poor performance and getting your IP address blacklisted preventing you from sending mail to some providers from your server.

Spammers send junk mail in a couple of different ways sometimes from an external mail client but more often from a script uploaded to your server. Compromised CMS platforms such as WordPress are often the cause of spam due to being hijacked by a hacker who is using your contact form to send thousands of messages.

So now you know the problem let's talk about what you can do about it and shut it down.

All mail servers have an MTA (Mail Transport Agent) that receives mail from mail clients, web applications and other servers which have mail for users on your server. WHM uses the Exim transport agent which this guide will be focusing on but these forensic techniques can be adjusted for other mail transport agents.


Locating The Script That Is Spamming

 grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

This command will scan the exim_mainlog file which is where Exim logs all mail activity.


How The Command Works

grep cwd /var/log/exim_mainlog

Show all row with ‘cwd’ (current working directory) in the log.

grep -v /var/spool

Use the grep with the -v to show an invert match, so to exlcude /var/spool which are normal Exim delivers not from a script.

 awk -F"cwd=" '{print $2}' | awk '{print $1}'

format the output so we only see the data we need.

sort | uniq -c | sort -n

Sort the script paths by name, count them and format the output numerically from lowest to highest.

 
      12 /home/account1/public_html/folder1
      43 /home/account2
      1652 /home/account3/public_html/scripts
      32 /home/account12/data/
      16 /home/account5/public_html
      19 /home/account 9/public_html
       7 /home/account21/public_html/content/scripts
      14 /home/account43/public_html/wp-content/themes/twentythirteen
      58 /home/account 45/public_html/tmp/
      20 /home/account31/public_html/wp-includes/js/imgareaselect
     346 /etc/csf
     794 /usr/local/cpanel/whostmgr/docroot
     1209 /
     187175 /root

This is a typical output from the command. All user data is contained within the /home/ directory which are the results you want to focus on /etc/csf /root for example are system generated emails which are only internal sending firewall reports, cron job notifications etc.

As you can see from the output 1652 /home/account3/public_html/scripts is the most likely suspect and shows 1652 mails sent from a script in the scripts folder.

Lets take a look in the scripts directory to see what we find.

 -rw-r--r-- 1 account3 account3 5.6K Apr 14 23:27 spam_script.php
ls -lahtr  /home/account3/public_html/scripts

Here we find the script spam_script.php which is the php program sending the spam. In a real world situation the file will be called something innocent such as wp-plug-contact.php to make it look like a genuine file.

A quick view of this file will show mail() functions etc to send the spam.

All you need to do the stop the spam is delete the file.