How to find spam mailing scripts on cPanel Servers
Spam sent from virtual and dedicated servers is a problem for most providers. Programs like WordPress can open holes in your server security. This is done either through outdated plugins installed on the account or outdated software installs. Malicious software will place spam mailing scripts in the cPanel account.
So it’s important to always keep software updated to the latest versions. When you fail to update your software. A malicious user can see what version of the software you are using, so, in turn, that information can be used to target a specific area of your site. So, if you have a cPanel VPS Servers, or Linux NVMe Server you can use this guide to find spam mailing scripts which have been uploaded.
Find Spam Mailing Scripts cPanel
First, log in to your server by ssh and issue the following command;
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
This will search the Exim log and pull back a list of sites and the number of emails they have sent, the information will look like this
20 /home/First2Host/public_html/servers
287 /home/First2Host1/public_html
10623 /home/First2Host2/public_html/dedicated
So, the numbers next to each path are the number of emails that have been sent. And from the output, we can easily see that the user First2Host2 has sent 10623 of which all of these will be spam emails. Likely from a WordPress Website.
Finally, if you want to see what files are in the folder you can dig further. Using the account username issue the following command
ls -lahtr /First2Host2/public_html/dedicated
drwxr-xr-x 17 First2Host2 First2Host2 4.0K Apr 23 1:25 ../
-rw-r--r-- 1 First2Host2 First2Host2 5.6K Apr 23 1:27 mailer_script.php
drwxr-xr-x 2 First2Host2 First2Host2 4.0K Apr 23 1:27 ./
So, from the returned list here, you can see there is a spam mailing script in the cPanel account. All the software should also be updated to the latest versions and the plugin that caused this removed.
Additional Resources