Finding Spam Scripts On cPanel
If a server is sending lots of spam, and no one knows why, there is a chance that the cause is a malicious script somewhere on the server. It can be a little tricky to locate such a script, but here’s a trick that should help.
Log into WHM with root and the root password of the server.
Click on “Exim Configuration Editor” under “Service Configuration”.
Click on the box at the top that says “Switch to Advanced Mode (Edit Raw Configuration File)”.
Paste this into the top box:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn
That line is pretty long, be sure to copy all of it and realize it may span beyond your browser’s window. Most web browsers should allow you to “triple click” in the above field and copy all of the text to your clip board but if not simply place your mouse on the far left of “log_selector” and drag the mouse to your right until you have “+tls_peerdn” highlighted.
Once you’ve copied that into the Exim editor box, scroll all the way down and click the little “Save” button.
Now you’re done in WHM. You can close out of the window, or leave it open if you plan on coming back to remove your addition to the Exim.conf. This change will slow Exim a little, so if you have a busy mailserver it’s best to remove this modification when you’re done.
Login to the server via ssh.
Watch the outgoing message log to see what directory messages are being sent from. This command works wonders:
tail -f /var/log/exim_mainlog | grep cwd
Note: cwd stands for current working directory.
This is quite normal: cwd=/var/spool/exim
This warrants investigation, but might be legit: cwd=/tmp
This is generally bad: cwd=/home/h4x0r/public_html/forums/tmp