Find spamming script on cpanel

Here we will see how to trace/find spamming script on cPanel server.

cPanel uses exim as mail server. Path to log file of Exim mail server is /var/log/exim_mainlog. Many cPanel users send out bulk email using php script. This really goes hard to find exact script which is sending out emails but using exim_mainlog, it is possible to trace folder from where script is executed.

Running following command will provide complete folder paths from where script is executed. Also it will provide number of times script executed from that particular folder. Once you find folder you will need to go through files present in that folder (No need to check files from subfolders). If you find any unknow file with email sending code just remove it or disable.

Command to find folder path from where scripts are executed to send out emails.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n