Locating Hidden SPAM Scripts

Locating SPAM Scripts on cPanel + EXIM mail server

We host hundreds of web sites, both for our clients, as well as for other web masters and DIY site owners. 

Every once and awhile someone manages to get their site compromised.

This is usually because other webmasters or site owners are not maintaining their site’s CMS software, or someone had their site details stolen in a phishing scam or virus infection.

More often than not this results on “spam scripts” being installed on their account. These “spam mailer” programs send emails from the account out to the Internet, ruining the reputation of the web site owner in the process.

While 99% of these programs are detected and blocked automatically, sometimes a script get’s well hidden or set to run in a way that current automated security measures are not triggered.

When this happens, direct analysis of mail logs will often show the offending account and software details.

Handy Linux command to locate folders with scripts sending email:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F "cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Cyanweb Solutions provide web site security, webmastering and CMS software maintenance services to insure client sites stay backed up, secured and operational.