Find spam script location with Exim - Knowledgebase - AryanIct.com

Learn what find spam script location with exim involves and how to apply the steps in this guide.

Luckily Exim which is the MTA (Mail Transfer Agent) on your server which handles email deliveries, logs all activity sent into it from scripts. It does this by logging the current working directory from where the script was executed. Using this knowledge you can easily track down a script of your own that is being exploited to send out spam, or locate possibly malicious scripts that a spammer has placed onto your server.

In order to follow along with the steps below you'll need to have root access to either your VPS or dedicated server so that you have access to the Exim mail log.

Locate top scripts sending into Exim

Alternate Command
perl <(curl -s https://raw.githubusercontent.com/cPanelTechs/SSE/master/sse.pl) -s

Using the steps below I'll show you how to locate the top scripts on your server that send out email. You can then search the Exim mail log for those scripts to determine if it looks like spam, and even check your Apache access logs in order to find how a spammer might be using your scripts to send out spam.
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Code breakdown:
You should get back something like this:
15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data
Here we can see that the /home/userna5/public_html/data directory by far has more deliveries coming in than any others.

Now we can run the following command to see what scripts are located in that directory:

ls -lahtr /userna5/public_html/data

In thise case we got back:

drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
-rw-r--r-- 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./

So we can see there is a script called mailer.php in this directory

Knowing the mailer.phpscript was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n
You should get back something similar to this:
2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
7860 123.123.123.123
So we can clearly see that the IP address 123.123.123.123 was responsible for using our mailer script in a malicious nature.

If you did find a malicous IP address sending out a large volume of messages from a script on your server you'll probably want to go ahead and block them at your server's firewall so that they can't try to connect again. This can be accomplished with the following command:

apf -d 123.123.123.123 "Spamming from script in /home/userna5/public_html/data"

You should now have learned how to use your server's Exim mail log to see what scripts on your server are causing the most email activity, and also how to investigate to see if any of them are malicious in nature trying to send out spam from your server.

Was this article helpful?

Still need help?

Our support team can walk you through setup, troubleshooting, and account questions.

Open a support ticket

#Locate top scripts sending into Exim

Was this article helpful?

Still need help?

Locate top scripts sending into Exim