Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

How to Run CPanel? Scripts to Detect Spamming Scripts on Website

Avatar of qeng
qeng asked on
Apache Web Server
9 Comments1 Solution467 ViewsLast Modified:
Someone has found a way to insert a spamming script (sends out emails) into one of my Joomla websites.  I'm not sure if they found access through one of the Joomla pages or by accessing the server files directly (sites are run on a VPS).

The server tech support folks suggest running some scripts to help determine the location of the spamming script.

This is not something I've done before and am unsure how to proceed.  I have a VPS account (under which I run several websites).  Only one appears to be affected.

The type of scripts being suggested are shown below.

Are these scripts from the affected domain's CPanel (if so, do I cut and paste them and where?) or from the Root WHM?

Sample Scripts:

To get a sorted list of email sender in exim mail queue.

# exim -bpr | grep "<" | awk {'print $4'} | cut -d "<" -f 2 | cut -d ">" -f 1 | sort -n | uniq -c | sort -n

 Script to check script that will originate spam mails:
# grep "cwd=/home" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n
 # awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1
 # grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

In order to find “nobody” spamming, issue the following command
# ps -C exim -fH ewww | awk '{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n

summary of mails in the mail queue.
exim -bpr | exiqsumm -c | head