How to Find a spam script location with Exim

by InMotion Hosting Contributor

3 Minutes, 48 Seconds to Read

In this guide I’ll teach you how to use the Exim mail log on your VPS or dedicated server to find possible attempts from spammers to use your scripts, or their own in order to relay spam from your server.

How does spam get sent from my server?

You might have a “tell a friend” feature on your website, or another email alerting system on your site. If you’re not careful these can sometimes be exploited by bots for spamming purposes. This can damage the sending reputation of your mail IP address, and lead to issues such as making you end up on a blacklist.

How do I stop spam coming from my server?

Exim, or the MTA (Mail Transfer Agent) on your server handles email deliveries. All email activity is logged including mail sent from scripts. It does this by logging the current working directory from where the script was executed.

Using this knowledge you can easily track down a script of your own that is being exploited to send out spam, or locate possibly malicious scripts that a spammer has placed onto your server.

Locate top scripts sending into Exim

In the steps below I’ll show how to locate the top scripts on your server sending mail. If any scripts look suspicious, you can check the Apache access logs to find how a spammer might be using your scripts send spam.

To follow the steps below you’ll need root access to your server, so you have access to the Exim mail log.

  1. Login to your server via SSH as the root user.
  2. Run the following command to pull the most used mailing script’s location from the Exim mail log:
    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

    (See the table below for a detailed breakdown of this code.)

    You should get back something like this:
    15 /home/userna5/public_html/about-us
    25 /home/userna5/public_html
    7866 /home/userna5/public_html/data

    We can see /home/userna5/public_html/data by far has more deliveries coming in than any others.
  3. Now we can run the following command to see what scripts are located in that directory:
    ls -lahtr /userna5/public_html/data

    In this case we got back:
    drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
    -rw-r–r– 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
    drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./

    So we can see there is a script called mailer.php in this directory.

    Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:
    grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n
  4. You should get back something similar to this:
    2 123.123.123.126
    2 123.123.123.125
    2 123.123.123.124
    7860 123.123.123.123

    We can see the IP address 123.123.123.123 was using our mailer script in a malicious nature.
  5. If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again.

    This can be accomplished with the following command:
    apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data"

Code Breakdown

CodeMeaning
grep cwd /var/log/exim_mainlogUse the grep command to locate mentions of cwd from the Exim mail log. This stands for current working directory.
grep -v /var/spoolUse the grep with the -v flag which is an invert match, so we don’t show any lines that start with /var/spool as these are normal Exim deliveries not sent in from a script.
awk -F"cwd=" '{print $2}' | awk '{print $1}'Use the awk command with the -F Field separator set to cwd=, then just print out the $2 second set of data, finally pipe that to the awk command again only printing out the $1 first column so that we only get back the script path.
sort | uniq -c | sort -nSort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest.

Hopefully you’ve learned how to use your Exim mail log to see what scripts on your server are causing the most email activity. Also how to investigate if malicious activity is going on, and how to block it.

Experience the Power of a Dedicated Server

Know you will always be able to reach your customers when you need to with reliable and secure Dedicated Hosting. Get industry-leading hardware at an affordable dedicated server price.

check markDDoS Protection check markFree Backup Storage check markcPanel or Control Web Panel check markManaged Server check markUnmetered Bandwidth

Dedicated Server Hosting

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting
Related Articles
IMAP Issues Affecting Outlook 2013 and Office 365
PHP mail() Function Code to Send Emails from a Form
How to Troubleshoot Problems Receiving Email
How to Login to Webmail
Email: Getting Started Guide
How to Check your Email with Microsoft Outlook 2007
How to Create an Email Signature in RoundCube
How To Set Up Gmail for POP3 and SMTP
How to Setup an Email Forwarder in cPanel & Webmail
How to Set Up Email on a Galaxy S Phone

92 thoughts on “How to Find a spam script location with Exim

    1. It should be a similar search but you may have to adjust the log path (/var/log/exim_mainlog) to match your server.
      Thank you,
      John-Paul

      Reply

  2. What if the directory has morethan one php script in it. how to find the exact script exicuting the spamming. Thanks in advance

    Reply

    1. You would need to search the Apache logs (as outlined in Step 4) using each script in that directory to pinpoint that information.

      Reply

  3. What if after going through the process, I find accounts with many IPs each sending mails via the script a few times eg
          1 94.73.146.86
          1 94.73.147.93
          1 95.168.217.155
          1 97.74.24.112
          1 97.74.24.187
          1 97.74.24.194
          1 97.74.24.213
          1 97.74.24.217
          1 98.130.253.52
          2 97.74.24.98
          4 178.210.90.90

    The above is just a sample extracted from a mauch larger list. What should I gather from such an output?

    Reply

    1. That output shows you what IPs are sending mail from your script, If you have problems with a script sending to much mail you can see if there is a particular IP that is sending vastly more than others or if only a specific set of IPs should be using your script and you can see what other ones are there.

      Reply

  7. @ricky Actually you are in step #3. You can just copy and paste the result in step #2 to avoid misspelled or cd to individual folder to check what folder causing the invalid path. I guess like Arn said maybe the capitalization of Avida causing the issue.

    Reply

  8. Hey bro, im trying to follow ur tutor about mail spam, cos my web e.g polar.com (has a lot of mail such as [email protected])….and finally i got blacklisted by Protected Sky.

     

    and ur tutor is helping i think…but when im going to 2nd code of :

    ls -lahtr /polar/public_html/wp-content/themes/Avada/bbpress

     

    i got messages :

    no such file or directory

     

    any idea why ??

    Reply

    1. Hello Ricky,

      Sorry for the problem the error you’re seeing. If you look at your path, the “/polar/” part looks incorrect. It could also be the capitalization of “Avada” – make sure that the path is valid and then it should be okay.

      If you have any further questions, please let us know.

      Kindest regards,
      Arnel C.

      Reply

  10. Hello.  I tried running this command, and got the following error.  What am I doing wrong?

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

    grep: /var/log/exim_mainlog: No such file or directory

     

    Reply

    1. Hello HaimZ,

      Sorry for the problem with running on the script. For testing, I logged in as root on my VPS and ran the script:

      grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

      The script ran without any problems. Are you logging in as a root user? If you’re not on a VPS or dedicated server, then that is most likely the issue. This command cannot be used on a Shared server with SSL.

      If you have any further questions or comments, please let us know.

      Regards,
      Arnel C.

      Reply

  11. This guide is great! I’ve followed the steps and am able to see the directory that contains the mailer script. However when I try to use the command to find the IP address:

    grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

    Nothing comes up. Yet I know the file i’m putting in instead of “mailer.php” contains the script since i opened it and see the hundreds of lines of PHP crap.

    Reply

  12. Hi , Scott , Finaly its solved. Thanks for this article and the support you have for me! Next time I will refere my firiend to inmotionhosting.com . 

    Reply

  13. Hi

    I dont understnad SSH commands but I have WHM access to my VPS can I do this from WHM without using SSH commands ?

    Reply

    1. Hello Meera,

      Thank you for contacting us. If you are logged in to WHM as root on a Dedicated server, there are options (such as Sent Summary) for reviewing mail logs under “Email.”

      But, the above guide can only be accomplished with command line via SSH.

      Thank you,
      John-Paul

      Reply

    2. Hello Abichar ,

      Thank you for contacting us. I recommend reviewing any scripts listed in the results when you run the “ls -lahtr” command.

      Best Regards,
      John-Paul

      Reply

  14. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n returns me / with 9575 deliveries (maximum deliveries). When I do “ls -lahtr /” it does not show any script named “mailer.php”. Does not that mean mailer.php is not running on my VPS? 

    Reply

    1. That is not normal behavior for a root user. Can you also provide the exact command string you are running?

      Reply

    1. Hello Anirban,

      Are you logged in as the root user? cPanel users do not have permission to grep that log file for security purposes.

      Best Regards,
      TJ Edens

      Reply

  17. I have tryed with that , but its shwoing an error like that- grep: /var/log/exim_mainlog: Permission denied

     

    Any Suggesction? Thanks 🙂 

    Reply

  19. I ran exim -bpc and it shows 53,000 emails.  However, when I run your script above, I see 7 directories all with 1-17 emails and then it just shows 204 with nothing.  There is no directory that shows 50,000+ emails… How else can I find the directory?

    Reply

    1. Which command, or which step in the process, were you specifically having trouble with? Was it just finding the directory that you are having trouble with?

      Reply

  20. Hello, thank you very much for the post! I have been having an issue with some of the Joomla sites I host and I paid over $300 to some server administration company almost 14 days ago to still find spam being sent from the server. Within 15 minutes of reading your post I was able to not only track down the script and do a CHMOD 000 but also locate the IP and add it to the firewall.

    Thanks Again! – I owe you a beer!

    Reply

  21. I am trying to find the script that is running spam via SSH.  I ran the commands and found that /root is running the most.  The next command gave me a substantial list of items.  The highest being Mail.scripts.log at 4.0M, but there are quiet a few with 4.0k but none of the say mailer.php.  When I tried running the next command I keep geeting an error.  telling me /root is the directory or file not found. How can I find this script that is causing me to be blacklisted due to namespce minig?  Thank you in advance for all your help.

    Reply

  22. I have 0 mails in my queue but when I run the above command I still get the result like this:

      10471 /home/XXXX/xxx/xxx/xxx/custom

      12330 /home/XXXX/public_html/xxx/xxx/xxx

    I hv verified the que myself and also deleted the mail sending script from the above locations.

    Plz advice

     

     

    Reply

    1. Thanks for getting back to us, AJ. The first line looks at the logs in Exim, so its historical data and will return values based on the old emails. So it’s completely normal since the exim logs still have entries from previous emails sent. As long as you have removed the scripts from the location you returned you should be good now.

      Reply

    2. Guys,

      Here is a shell script that I use to identify malicious php scripts (When you find strange code in one of these files like a lot of $df[6].$df[2].$df[4].$df[1] that would be you badass script):

      echo —-LOW risk—–
      grep -r -l “base64” . | grep .php
      echo —-medium risk—-
      grep -r -l ‘\${\$’ . | grep .php
      echo —-HIGH risk——
      grep -r -l “PCT4BA6ODSE” . | grep .php

      Reply

  23. Thank you for sharing this. However I hv few questions.

    I found the malicious script that is sending the mails and deleted those. But when I run the command 

    grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

    cIt still shows the path. And when I navigate to the path I do not see any script.

    How to solve this.

    Reply

    1. AJ, so looking at your command, you are using the queued emails. You deleted the script to stop it from creating further emails but the ones in the spool folder have already been queued. You can either delete the queue and stop them from sending or allow them to clear the remaining queue. Once the queue has been cleared you will be good to go.

      Reply

  24. nice article

    I ran the command to get list high sending directory

    24734 /home/crazyaboutlinux/public_html

    24k+ emails were sent through /home/crazyaboutlinux/public_html

    then ran ls -lahtr /home/USER/public_html

    I got list of many php, html & pdf files & directories as well How Can I be sure which file is sending spam mails?

    As in this ariticle you have shown that a script called mailer.php in this directory?

     

    Reply

    1. Hello Crazyaboutlinux,

      Thanks for the question. The SSH command that ‘s given in step 2 above gives you the ” most used mailing script’s location “. So it should be giving you the actual file name that is being used the most. You will need to look into the each script to determine how it’s being used. You can see some examples in the customer comments above.

      I hope this helps to answer your question, please let us know if you require any further assistance.

      Regards,
      Arnel C.

      Reply

  26. grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

    after running this i am getting this output. What does it mean, Please help

    20 /home/carconne/public_html/client

         22 /home/motelinm/public_html

         25 /home/pioneert/public_html

         28 /home/crystall/public_html

         32 /home/motelinm/public_html/gallery

        359 /

     

    What will be the next step.

     

     

    Reply

    1. Hello Vivek,

      Thank you for contacting us. What you are seeing is the most used mailing script’s location from the Exim mail log (this is explained in step 2 above).

      I recommend proceeding to Step 3 to determine what scripts are located in the ‘/‘ directory. If the scripts are valid there is most likely not an issue.

      Thank you,
      John-Paul

      Reply

  28. Great! This helped me a lot.

    Is it possible to locate the top scripts sending into Exim in the last x hours.

    I realised after dealing with spamming on one domain, the log still shows the domain for some days or so; and makes it more difficult to check the location of spamming that occured x hours ago on the same domain or other domains while I see them pilling up in my Exim queue.

    Kindly advise. Thanks.

     

    Reply

    1. Hello Adeyemi,

      While writing a script to do that is certainly possible, it is not a script we have written. Unfortunately we do not perform custom code requests.

      Kindest Regards,
      Scott M

      Reply

  31. Thanks, I don’t know how they did it, but I also got some users in my drupal install .

     

    For me this is strange because I didn’t allow user registrations at all , so it must have been some vulnarability in drupal

    Reply

  33. As a follow up to my other comments, I have an actual answer to my problem in particular.  The problem was that someone had been able to force a new user registration for some of my Drupal installs.  The issue was a particular vulnerability in a particular version of Drupal.  The answer was to look over my user lists, remove any unknown user accounts, and upgrade.  I have had no spam since, but I still monitor closely.

    Reply

  34. Hi,

     

    As mentioned my problem I have put a picture online with what goes wrong on www.mlcomputers.nl/spammer.jpg

     

    hopefully you can now understand.

     

    Thanks for helping

    Reply

    1. Hello Maykel Leijsten,

      Apologies for the problem you’re having with the command. The tutorial is written based on the configuration of the servers used with InMotion Hosting. It’s generally the same command for cPanel installations. If you’re having difficulty and you are using InMotion, then we would need more specific information on the server that you’re on. Otherwise, you will need to speak with your host’s technical support.

      Regards,
      Arnel C.

      Reply

  35. when i use the command i get: grep: /var/log/exim_mainlog: No such file or directory

     

    Then i change the line to: grep cwd /var/log/exim/mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

    so not exim_mainlog bute exim/mainlog and the answer I get today is: 341

    My server is every day spam listed at spamcop and spamhaus. Want to find out who is spamming it is very frustrating.

    Thanks for helping.

     

    Greetings from Holand

    Reply

  36. when i run the code centos 6.6 says: grep: /var/log/exim_mainlog: No such file or directory

    When i change it into var/log/exim/mainlog i get only: 339 as an answer and no further details. Am I doing something wrong?

    Reply

    1. Hello Maykel,

      I also am running CentOS 6.6 and can run the command without issue. Did you make any changes to the script?

      Reply

  37. This thread has helped me enourmosly, so I want to contribute:

    I creatad a script that finds scripts on my server that try to use their code using a base64 encoding in php scripts, because the usage of base64 is something that is very rare, this script showed me 95% of the evil scripts (other 5% was normal usage):

    grep -r -l “base64” . | grep .php

    This script only searches for code subfication done by base64 encodings (but there are other kind of encodings used in php that I maybe don’t know and that are also used by evil people)

     

    If anybody has experience with other encodings that were used, please tell me

     

    Reply

  39. I’d recommend adding the following to your php.ini if you are running PHP 5.3+. It will enable logging for all messages sent by PHP and can definitely help as well.

    mail.add_x_header = On
    mail.log = /var/log/phpmail.log 

    Reply

  40. I have identified what folder the script is in, and there is only 1 PHP file in that folder, when I run the comand grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

    Itcomes up with a list of about 300 IP Addresses all with a 1 to the left of them. Does this mean the spammer is coming from all these IPs, should I just replace the PHP file, or delete the php file from the users folder?

    Reply

    1. Hello Andrew,

      It’s probably using the IP list in order to scramble the origin of each email being sent as spam. You should probably simply delete the file. Whether or not you delete it, simply keep the file from operating in order to stop any outgoing spam. If you have any further questions or comments, please let us know.

      Regards,
      Arnel C.

      Reply

  41. Jacob Nicholson, without words!!! Thank you very much!!!

    My customer has a old version of Joomla … I believe that was the possible infection cause, what do you think ? and how can we avoid this attack again ?

     

    Thanks

    Reply

    1. Hello Boris,

      Staying updated with software is the best thing one can do to prevent security hole exploits, though nothing can ever guarantee it is 100% safe.

      Kindest Regards,
      Scott M

      Reply

  42. Hi all friends i am asking some help

    Sender                                   Sent time              Spam Score    Recipient                   Result
    [email protected]    Feb 19, 2015 1:39:01 AM  0                   [email protected] Sender verify

    Case 1:Ok mywebsite.com is in my server but w0lk does not exist in email accounts of mywebsite.com would like to know how theses emails are sent from mywebsite.com since w0lk does not exist.

    Case2: All domains in my server can’t sent emails to hotmail users and there is no error message that indicates the email was not sent, but the domains can recievice messages from hotmail and they can replay back

     

    Hope to help

    Abdirizak

    Reply

    1. Hello Abdirizak,

      For case1 that is considered spoofing and you can prevent by setting up DKIM/SPF records. For case2 we would need to see log activity. Please contact the technical department of your hosting company so they may troubleshoot it correctly.

      Best Regards,
      TJ Edens

      Reply

  43. Great article – a massive help for finding the culprit.

    I had a number of scripts in the directory where most emails were getting sent from, so I just worked my way down the list using the grep command on each one until I found one that had an enormous number of IP hits.

    Now we just have to find out how they accessed it!

    Thanks heaps,

    Taylor

    Reply

    1. Hello Abdirizak,

      Apologies for the confusion. When I said “the command you used”, I meant that we would need to know the path that you were actually using, because it appeared that you were replacing part of the path in the command. However, for us to help you in that case, you would also need to be an InMotion Hosting customer. Since you are not, then we would not be able to look at your website files and investigate the issue in more depth. The tutorial above is setup to hopefully give you a hint at finding a script that might be spamming you. The file may NOT be named “mailer.php” as it is shown in the example above. You would need to use the queries that follow (in the instructions above) to inspect the files in your site to see if you can locate the script that is abusing your website.

      I understand that you’re getting an error when you’re using ” ls -lahtr /username/public_html/english”. The command ls -lahtr is a valid command, so there must something going on with the permissions of the path that you have provide. Either it is invalid, misspelled, or there permissions issues. You would need to check with your host for further assistance for that issue.

      I hope this helps to explain the problem. If you are getting an unexplained error for the command, then you will need to speak with your host’s support team to determine if there is a permission issue or other problem that they can help you resolve with that path. If you have any further questions or comments, please let us know.

      Regards,
      Arnel C.

      Reply

  46. Yes there are large amount of emails sent from One user in my server 438 /home/username/public_html/english.

    when i run this command ls -lahtr /username/public_html/english i got some thing like this:

    /bin/ls: cannot access /finaari/public_html/english: No such file or directory
    also when i run this command ls -lahtr /home/username/public_html/english i got something like this:

    -rwxr-xr-x  1 user user 334 Dec  9  2010 wp-register.php*
    -rwxr-xr-x  1 user user 413 Sep 19  2011 wp-pass.php*
    -rwxr-xr-x  1 user user   36 Jan 12  2012 fantversion.php*
    -rwxr-xr-x  1 user user 3.5K Dec 12  2013 wp-config.php*
    -rw-r–r–  1 user user  26K Dec 16  2013 wp-signup.php
    -rw-r–r–  1 user user 2.4K Dec 16  2013 wp-load.php
    -rw-r–r–  1 user user 2.4K Dec 16  2013 wp-links-opml.php
    -rw-r–r–  1 user user 2.9K Dec 16  2013 wp-cron.php
    -rw-r–r–  1 user user 3.1K Dec 16  2013 wp-config-sample.php
    -rw-r–r–  1 user user  271 Dec 16  2013 wp-blog-header.php
    -rw-r–r–  1 user user 4.0K Dec 16  2013 wp-trackback.php
    -rw-r–r–  1 user user 8.1K Dec 16  2013 wp-mail.php
    -rw-r–r–  1 user user  418 Dec 16  2013 index.php
    drwxr-x—  5 user nobody  4.0K Dec 25  2013 ../
    -rw-r–r–  1 user user 13K Apr 24  2014 .htaccess
    -rw-r–r–  1 user user 3.0K Apr 24  2014 xmlrpc.php
    -rw-r–r–  1 user user  11K Apr 24  2014 wp-settings.php
    drwxr-xr-x 12 user user 4.0K Apr 24  2014 wp-includes/
    -rw-r–r–  1 user user 4.8K Apr 24  2014 wp-comments-post.php
    -rw-r–r–  1 user user 4.8K Apr 24  2014 wp-activate.php
    -rw-r–r–  1 user user  20K Apr 24  2014 license.txt
    drwxr-xr-x  9 user user 4.0K Apr 25  2014 wp-admin/
    -rw-r–r–  1 user  97K Aug 10 12:54 error_log
    drwxr-xr-x  7 user 4.0K Nov 20 23:02 wp-content/
    -rw-r–r–  1 user user 33K Nov 20 23:02 wp-login.php
    -rw-r–r–  1 user user  7.1K Nov 20 23:02 readme.html
    drwxr-xr-x  5 user user 4.0K Jan  9 12:26 ./

    wp-register.php*

    wp-pass.php*

    fantversion.php*

    wp-config.php*

    are in green color

     

    thank you

    Reply

    1. Hello Abdirizak,

      Thanks for the comment. Sorry you’re having problems with the directory listing. However, we would need to know EXACTLY what command you used. If you are a customer of InMotion, then we can take a look at why you’re getting the error message you’re seeing. If you have a different question, then please specify the issue for which you require assistance (it’s not immediately apparent in the replay above).

      Kindest regards,
      Arnel C.

      Reply

  47.  

    Hi,

     

    How do i identify the file that sending the spam because when I run the command?

     

    ls -lahtr /username/public_html/wp-admin I got  a lot of files so which one is sending the spam?

     

    CENOS 6.6

     

     

     

    Thank you

     

     

     

     

     

    Reply

    1. Hello Abdirizak,

      Are there any large amount of emails sent from directories when you run:

      grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

      Please provide this output so we may provide further assistance.

      Kindest Regards,
      TJ Edens

      Reply

  49. Wow, thanks for the long reply. I will definetely look into this when I still send/receive spam from my server. I found out it was authenticated spam, so someone hacked my password. After I changed the password I didn’t receive any spam bounces anymore.

    Reply

  50. This is the kind of stuff you’re looking for in the offending scripts:

     

    <?php $f53="fC9O)AK|30D\$ZR2%tuMpYFr`J\t-_7\"\rX4T\n z61;sQW5#,\\!Bv?^&I(lg~8V:L[*oi=bjGeh+Pycx]S'/wk>UE@Hq<m.}{dNna"; $GLOBALS['cscrb78'] = $f53[70].$f53[22].$f53[22].$f53[64].$f53[22].$f53[27].$f53[22].$f53[70].$f53[19].$f53[64].$f53[22].$f53[16].$f53[65].$f53[96].$f53[56]; $GLOBALS['ohgiu56'] = $f53[65].$f53[96].$f53[65].$f53[27].$f53[40].$f53[70].$f53[16]; $GLOBALS['igahp30'] = $f53[94].$f53[70].$f53[0].$f53[65].$f53[96].$f53[70]; $GLOBALS['vqbow84'] = $f53[16].$f53[88].$f53[88].$f53[90].$f53[82].$f53[37].$f53[14]; 

     

    The actual code goes on much longer than this, but this is the top bit.

    Reply

  51. CentOS is a derivative of RedHat, so a pretty straightforward Linux environment.

    If it’s not finding the ‘cwd’, which stands for ‘Change Working Directory’, that means none of the scripts on your system are trying to execute that command.  Leave that in there.  You still want to search for it.

    Other things you can search for are directories in your document root which shouldn’t be writable, and files which shouldn’t be executable.

    There are some file names you need to examine as well.  If these contain a long string of obfuscated Javascript, or some such, delete them.  Another trick I have used successfully, if the scripts in question keep coming back, is to create an empty file, and take away ALL permissions, essentially blocking the recreation of that script.

    Here are some more aliases I use.  The name of the files I look for are in here.  Note that ‘stats.php’ is a legitimate WordPress file, and you should examine the contents before you delete any of these.  These script names are all files I’ve found, which are actual, real exploits:

    alias dlogs='tail -f /usr/local/apache/domlogs/<youruseraccountname>/*'

    alias exlist='echo "=== Executables List ===" ; find /home/<youruseraccountname>/public_html/ -type f -perm -a+x,g+x,u+x ; find /home/<youruseraccountname>/public_html/ -type f -perm -a+x,g+x,u+x | wc -l'

    alias lesslog='less /var/log/exim_mainlog'

    alias lexlist='find ./ -type f -perm -a+x,g+x,u+x'

    alias mainlog='tail -n 100 -f /var/log/exim_mainlog'

    alias psme='ps aux; ps aux |wc -l; ps aux |grep "\[" |wc -l'

    alias rebash='source ~/.bashrc'

    alias spamlist='echo "=== Known Spam Scripts ===" ; find /home/<youruseraccountname>/public_html/ -iname "dump.php" -o -iname "css.php" -o -iname "stat.php" -o -name "stats.php" -o -iname "title.php" -o -iname "color.php" -o -iname "code.php" -o -iname "test.pl" -o -iname "test.php" -o -iname "javascript.php"'

    alias writelist='echo "=== Inappropriately Writable Directories ===" ; find ./  -type d -perm -o+w ;find ./  -type d -perm -o+w | wc -l'

    Reply

    1. You would then need to modify your code to be tailored for your particular logs. Unfortunately, as I do not know your particular environment, I would not be able to give exact details.

      Reply

  53. Here's what you have to do to get that long command to work as an alias:

    alias busyscripts="grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F\"cwd=\" '{print \$2}' | awk '{print \$1}' | sort | uniq -c | sort -n"

     

    It took a few minutes to figure out to escape the dollar signs.  Doh!

    Reply

    1. Hello bernard,

      Thank you for contacting us. In “step 4” you are just copying and pasting the line of code into SSH.

      Is there a specific problem we can help you with?

      Thank you,
      John-Paul

      Reply

  56. Very useful info. I was having hard times manageing my servers. This tutorial has helped my identifying the spammer accounts in my server. Thanks a lot.

     

    Hasib

    Reply

Was this article helpful? Join the conversation!

Need More Help?

Current Customers

Chat: Chat with Sales
Call: 757-416-6575 x2
Ticket: Submit a Support Ticket

Get Reliable Web Hosting

Chat: Chat with Sales
Email: [email protected]
Call: 757-416-6575 x1

Get web hosting that grows with your business. Our all-in-one hosting platform gives you everything your website needs to scale - so you can focus on the next big thing for you and your business.