Tracking Down Spam Scripts in cPanel

Tracking Down Spam Scripts in cPanel
If you’re receiving complaints that your cPanel server is sending out spam, there is a fair chance that there is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here is a trick that may help:

Log into your WHM interface by using the root user and root password.
Click on ‘Exim Configuration Editer’ under ‘Service Configuration’.
Click the box at the top labeled ‘Switch to Advanced Mode (Edit Raw Configuration File)’.
Copy the following and paste into the top box:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

Next, scroll down to the bottom and click the ‘Save’ button.

At this point, you can log out of WHM, and log into your server via SSH.

Now we want to watch the mail program’s log files, to see where the messages are comming from on your server. Type the following at the command line:

tail -f /var/log/exim_mainlog | grep cwd

This will show exactly what is being logged by the mail server, but will only display the relevant lines.

The output will be something like the following. ‘cwd’, in this case stands for ‘current working directory’, or the place on the server where the messages originate.

cwd=/var/spool/exim –> This one is nothing to worry about; this is normal operation.
cwd=/tmp –> This is the temporary directory. If you see entries with this, you should probably investigate further.
cwd=/home/accountname/public_html/forums/tmp –> This one is definately something that should be investigated.

ls -la /home/accountname/public_html/forums/tmp –> This will list the directory’s contents.

By listing the contents of the directory that looks suspicious (in this case, /home/accountname/public_html/forums/tmp), you can discover the name of the script. To check and see if it is currently running, type the following:

ps aux | grep

This will give an output that includes a number known as the process ID. You can stop the script by typing killĀ . Next, remove the script from the server:

rm /home/accountname/public_html/forums/tmp/

 

Both comments and pings are currently closed.

Comments are closed.