Spamming is one of the main cause of spread malware and virus on others system or website via emails. All those spammers who have to attack or spam collect email addresses from chat rooms, websites, customer lists, newsgroups, and so on. Spammers most use spamming for sold out some viruses, illegal or banned products and many other things or may also use for marketing of some product. Spammers can use your hosting and email server to send such type of emails to their targeted audience or anyone. In this article we will properly guide you how to diagnose/investigate php spam sender user in Linux / cpanel?
To investigate spamming first of all you have to check how many emails are in queue, If you are found that a lot of emails are in queues (over one hundred views), it may because of spamming. Here are some steps to check the queued emails on your WHM Account.
Step:- 1 First of all you have to Login in to your WHM account
Step:- 2 Click on Email icon from menu:
To check the emails in Queue you have to click on Mail Queue Manager icon to check emails in Queue
Step:- 3 You can view maximum 100 emails at a time, High numbers of emails indicates the auto responding (Spamming). So you can delete all emails through here.
Note: If you will click on Delete all some legale and good queued emails for you and your clients will also delete.
Now we will tell you how to investigate or find exact spammer script location on your WHM via SSH in following directory:
/var/log/exim_mainlog
You just need to follow some given steps below to find the exact location of spammer script on your Server.
Step:- 1 First of all you have to Login in to your server via SSH
Step:- 2 To investigate or find the exact locations of all script’s running on your server, you have to write following script on you SSH
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n
In response of your script (command) SSH will return you following things:
15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data
Step:- 3 In above we found that /home/userna5/public_html/data. This is the exact location to investigate all user data. To investigate this you have to enter following command:
ls -lahtr /userna5/public_html/data
In case of this we got following from SSH
drwxr-xr-x 17 userna5 userna5 6.0K Dec 15 09:25 ../
-rw-r–r– 1 userna5 userna5 7.9K Dec 15 09:26 mailer.php
drwxr-xr-x 2 userna5 userna5 6.0K Dec 15 09:27 ./
Here we found the exact name of the script running on our server which is mailer.php in this case.
Step:- 4 You can also investigate the exact IPs accessing this script on your server through Apache access log. You have to right following command
grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n
After this command we will get the list of IPs
2 192.168.1.1
2 192.168.1.2
2 192.168.1.3
7860 2 192.168.10.10
Here IP with 7860 indicate the IP of spammer who belongs to mailer.php or spam script. you can block or delete this IP to stop more spamming through your server or for further access by running following command
apf -d 192.168.10.10 “Spamming from script in /home/userna5/public_html/data”