How to locate PHP scripts that are sending spam emails on a Plesk server?


Here are Various ways to find a Spammer on a Plesk server.

If emails are sent using a PHP script on a Plesk server, there are following 2 ways to determine the PHP script.

1) The following command will display the PHP scripts running in real-time. You have to execute the below script at the time the emails are been sent from your server rapidly.

Execute the below command as it is:

# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk \
 ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` \
 | grep vhosts | grep php

This will continuously display the path to the PHP files as they will be accessed and executed.

2) This method is used when you are not around and still wanted to trace the folder or the domain of the PHP script that is sending emails is running from.

a) Create a /var/qmail/bin/sendmail-wrapper file with the following contents

 (echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send \
|/var/qmail/bin/sendmail-qmail "$@"

Grant executable permission on the sendmail wrapper and replace it with the old sendmail file of Qmail as stated below:

# chmod a+x /var/qmail/bin/sendmail-wrapper
# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

b) Create a log file /tmp/mail.send and grant read/write permissions to all.

# touch /var/tmp/mail.send
# chmod a+rw /var/tmp/mail.send

c) Wait for a few hours and revert back the sendmail files

# rm -f /var/qmail/bin/sendmail
# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

then go through the log file /tmp/mail.send. The log file contains “X-Additional-Header” lines that will display the path to the folder name the PHP scripts are residing in. Example:

X-Additional-Header: /home/vhosts/

To locate all the domains the PHP scripts that are sending emails are residing in, execute:

# grep X-Additional /var/tmp/mail.send | grep \
 `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D \
 | sed -e 's/HTTPD_VHOSTS_D//' `

If no script is listed, it means mail() php function was not used to send emails.

This entry was posted on Sunday, December 2nd, 2012 and is filed under Plesk Management. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.