How to locate the top scripts on your server that send out email. You can then search the Exim mail log for those scripts to determine if it looks like spam, and even check your Apache access logs in order to find how a spammer might be using your scripts to send out spam. Login to your server via SSH as the root user. Run the following command to pull the most used mailing script’s location from the Exim mail log:<\/p>\n
\ngrep cwd \/var\/log\/exim_mainlog | grep -v \/var\/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n\n<\/pre>\nCode breakdown:<\/p>\n
\ngrep cwd \/var\/log\/exim_mainlog \t\n<\/pre>\nUse the grep command to locate mentions of cwd from the Exim mail log. This stands for current working directory.<\/p>\n
\ngrep -v \/var\/spool\n<\/pre>\nUse the grep with the -v flag which is an invert match, so we don’t show any lines that start with \/var\/spool as these are normal Exim deliveries not sent in from a script.<\/p>\n
\nawk -F"cwd=" '{print $2}' | awk '{print $1}' \t\n<\/pre>\nUse the awk command with the -Field seperator set to cwd=, then just print out the $2nd set of data, finally pipe that to the awk command again only printing out the $1st column so that we only get back the script path.<\/p>\n
\nsort | uniq -c | sort -n \t\n<\/pre>\nSort the script paths by their name, uniquely count them, then sort them again numerically from lowest to highest.<\/p>\n
You should see something like this:<\/p>\n
\n\n 15 \/home\/username\/public_html\/about-us\n 25 \/home\/username\/public_html\n 7866 \/home\/username\/public_html\/data\n<\/pre>\nHere we can see that the \/home\/userna5\/public_html\/data directory by far has more deliveries coming in than any others.Now we can run the following command to see what scripts are located in that directory:<\/p>\n
\nls -lahtr \/username\/public_html\/data\n<\/pre>\nIn thise case we got back:<\/p>\n
\n drwxr-xr-x 17 username username 4.0K Jan 20 10:25 ..\/\n -rw-r--r-- 1 username username 5.6K Jan 20 11:27 mailer.php\n drwxr-xr-x 2 username username 4.0K Jan 20 11:27 .\/\n<\/pre>\nSo we can see there is a script called mailer.php in this directory. Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:<\/p>\n
\ngrep "mailer.php" \/home\/username\/access-logs\/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n\n<\/pre>\nYou should get back something similar to this:<\/p>\n
\n\n 2 123.123.123.126\n 2 123.123.123.125\n 2 123.123.123.124\n 7860 123.123.123.123\n<\/pre>\nSo we can clearly see that the IP address 123.123.123.123 was responsible for using our mailer script in a malicious nature. If you did find a malicious IP address sending out a large volume of messages from a script on your server you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again. <\/p>\n
Remove exim emails:<\/p>\n
\n# exim -bp | exiqgrep -i | xargs exim -Mrm\n<\/pre>\n","protected":false},"excerpt":{"rendered":"How to locate the top scripts on your server that send out email. You can then search the Exim mail log for those scripts to determine if it looks like spam, and even check your Apache access logs in order to find how a spammer might be using your scripts to send out spam. Login … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-201","post","type-post","status-publish","format-standard","hentry","category-exim"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/201","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=201"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/201\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}