How to Find Spam Script Locations with Exim on cPanel

Spam is a very long problem for web hosting providers and end users. If you have your own vps or dedicated server box, specially with cPanel, you may be facing spam issues from inside your very own box. Bad guys get into your box, upload malware and start sending spam from your dedicated server, you get blacklisted and a big problem starts. That’s why today we will show you How to Find Spam Script Locations with Exim on cPanel, so you can track spam on cPanel easily.

Find Spam Script Locations on cPanel

Before you start the task of find spam script locations on your server let’s try to answer some simple questions like How do the bad guys send outgoing spam from my server?

How can I send spam from my own server?

99% of the times, it happens because crackers found a vulnerable script, uploaded an exploit or malware code, and once they got access to your cPanel account or FTP, they upload malicious files, which include mass spam mail utilities, that are used to send spam.

This damages not only your IP, but also your domain name, Google can block it and you can get listed into many DNSBL or RBLS that will stop your email from working normally.

How can I stop outgoing spam from my cPanel server?

For this, we will track down the steps of the malicious attackers that got into your cPanel account and started sending spam. We will use some Unix system tools to inspect and locate spam origin on cPanel.

How can I locate spam scripts sending mail?

Login to your cPanel server as root via ssh.

Run the following commands to get the most used mailing script from Exim Main log:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

What does this script line means?

On this small quick script, we will search exim_mainlog for ‘cwd’ mentions inside Exim Main Mail Log, then we will filter the output with grep -v, and awk to separate fields, and finally we will order the output with sort and uniq commands.

You should get an output like this:

[[email protected]:~]grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
      1 /home/mygreatweb/public_html/folder1
      2 /home/usertecnom
      2 /home/asd5546/public_html
      2 /home/wordreal
      4 /home/rainyday/public_html
      6 /home/ecobusiness/public_html
      6 /usr/local/cpanel/3rdparty/mailman/bin
      7 /home/apolo/public_html/racing/cars
     14 /home/user43/public_html/wp-content/themes/twentythirteen
     58 /home/john2/public_html
     70 /home/user4
    320 /home/smartweb/public_html/wp-includes/js/imgareaselect
    346 /etc/csf
    794 /usr/local/cpanel/whostmgr/docroot
   1209 /
 187175 /root
[[email protected]:~]

As you see, there many outgoing emails, you’ll find root emails, csf firewall emails, whmcs emails, and many other normal cPanel related stuff. However, you should focus on the /home/XXX (where XXX is the Linux system user) accounts, those are the ones that are probably sending spam, check for the largest numbers. Be careful by inspecting this, as not all of them may be sending spam, this list will also include legal email senders.

Once you have located the top senders, try to check out what’s inside the directory, for example:

ls -lahtr /home/smartweb/public_html/wp-includes/js/imgareaselect

In this case we got this output from the ls command:

drwxr-xr-x 17 smartweb smartweb 4.0K Aug 21 10:55 ../
-rw-r--r-- 1 smartweb smartweb 5.6K Aug 21 11:38 massmailer.php
-rw-r--r-- 1 smartweb smartweb 5.6K Aug 21 11:38 c99x.php
drwxr-xr-x 2 smartweb smartweb 4.0K Aug 21 11:38/ ./

There are two scripts in this directory that should be inspected:

massmailer.php – probably a spam script.
c99x.php – probably a php-based shell.

Both are malicious files. However, sometimes finding this scripts can be harder because you have all the bad scripts mixed with your legal-valid php scripts from any CMS or App installation. Check this carefully, or ask your web developer to take a look into the code for you.

Find the attacker IPs

Now that we’ve found the spam script, let’s search for the IP addresses that accessed this script:

grep "massmailer.php" /home/smartweb/access-logs/ | awk '{print $1}' | sort -n | uniq -c | sort -n

Your output should be something like:


We can see the IP address has a very big number of times called from the web server, this is a sign that this connection used the script to send spam.

You can block this offending IPs by using CSF Firewall with the following command:

[[email protected]:~]csf -d
Adding to csf.deny and iptables DROP...
DROP  all opt -- in !lo out *  ->  
LOGDROPOUT  all opt -- in * out !lo  ->  
[[email protected]:~]

As you see, the investigation to find spam script locations on cPanel isn’t that hard, you just have to look in exim_mainlog file, and track down the usages on apache logs (access-logs), and finally deny access for the offending IPs.

After that, you’ll have to investigate how they got into your cPanel account, what is the vulnerability on your app, and secure it to prevent future problems (most of the times, this is caused by outdated CMS installations and using vulnerable plugins from WordPress, for example.)
Further reading:

About the Author: Martin Keler

Leave a Reply

Your email address will not be published. Required fields are marked *