{"id":2006,"date":"2012-12-02T08:05:46","date_gmt":"2012-12-02T12:05:46","guid":{"rendered":"http:\/\/linuxhostingsupport.net\/blog\/?p=2006"},"modified":"2014-11-24T08:20:59","modified_gmt":"2014-11-24T12:20:59","slug":"how-to-locate-php-scripts-that-are-sending-spam-emails-on-a-plesk-server","status":"publish","type":"post","link":"https:\/\/linuxhostingsupport.net\/blog\/how-to-locate-php-scripts-that-are-sending-spam-emails-on-a-plesk-server","title":{"rendered":"How to locate PHP scripts that are sending spam emails on a Plesk server?"},"content":{"rendered":"

 <\/p>\n

Here are Various ways to find a Spammer on a Plesk server<\/a>.<\/p>\n

If emails are sent using a PHP script on a Plesk server, there are following 2 ways to determine the PHP script.<\/p>\n

1)<\/strong> The following command will display the PHP scripts running in real-time. You have to execute the below script at the time the emails are been sent from your server rapidly.<\/p>\n

Execute the below command as it is:<\/p>\n

\n
#<\/strong> lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk \\\r\n ' { if(!str) { str=$1 } else { str=str\",\"$1}}END{print str}'` \\\r\n | grep vhosts | grep php<\/pre>\n<\/blockquote>\n
This will continuously display the path to the PHP files as they will be accessed and executed.<\/p>\n
2)<\/strong> This method is used when you are not around and still wanted to trace the folder or the domain of the PHP script that is sending emails is running from.<\/p>\n
a)<\/strong> Create a \/var\/qmail\/bin\/sendmail-wrapper file with the following contents<\/p>\n
\n
#!\/bin\/sh\r\n (echo X-Additional-Header: $PWD ;cat) | tee -a \/var\/tmp\/mail.send \\\r\n|\/var\/qmail\/bin\/sendmail-qmail \"$@\"<\/pre>\n<\/blockquote>\n
Grant executable permission on the sendmail wrapper and replace it with the old sendmail file of Qmail as stated below:<\/p>\n
\n
# chmod a+x \/var\/qmail\/bin\/sendmail-wrapper\r\n# mv \/var\/qmail\/bin\/sendmail \/var\/qmail\/bin\/sendmail-qmail\r\n# ln -s \/var\/qmail\/bin\/sendmail-wrapper \/var\/qmail\/bin\/sendmail<\/pre>\n<\/blockquote>\n
b)<\/strong> Create a log file \/tmp\/mail.send and grant read\/write permissions to all.<\/p>\n
\n
# touch \/var\/tmp\/mail.send\r\n# chmod a+rw \/var\/tmp\/mail.send<\/pre>\n<\/blockquote>\n
c)<\/strong> Wait for a few hours and revert back the sendmail files<\/p>\n
\n
# rm -f \/var\/qmail\/bin\/sendmail\r\n# ln -s \/var\/qmail\/bin\/sendmail-qmail \/var\/qmail\/bin\/sendmail<\/pre>\n<\/blockquote>\n
then go through the log file \/tmp\/mail.send. The log file contains “X-Additional-Header” lines that will display the path to the folder name the PHP scripts are residing in. Example:<\/p>\n
\n
X-Additional-Header: \/home\/vhosts\/domain1.com<\/pre>\n<\/blockquote>\n
To locate all the domains the PHP scripts that are sending emails are residing in, execute:<\/p>\n
\n
# grep X-Additional \/var\/tmp\/mail.send | grep \\\r\n `cat \/etc\/psa\/psa.conf | grep HTTPD_VHOSTS_D \\\r\n | sed -e 's\/HTTPD_VHOSTS_D\/\/' `<\/pre>\n<\/blockquote>\n
If no script is listed, it means mail() php function was not used to send emails.<\/p>\n","protected":false},"excerpt":{"rendered":"
 
\nHere are Various ways to find a Spammer on a Plesk server.
\nIf emails are sent using a PHP script on a Plesk server, there are following 2 ways to determine the PHP script.
\n1) The following command will display the PHP scripts running in real-time. You have to execute the below script at the time the emails are been sent from your server rapidly.
\nExecute the below command as it is:<\/p>\n
# lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk \\
\n ‘ { if(!str) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[1446,1449,1445,1447,1448],"_links":{"self":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/2006"}],"collection":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/comments?post=2006"}],"version-history":[{"count":16,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/2006\/revisions"}],"predecessor-version":[{"id":2367,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/posts\/2006\/revisions\/2367"}],"wp:attachment":[{"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/media?parent=2006"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/categories?post=2006"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxhostingsupport.net\/blog\/wp-json\/wp\/v2\/tags?post=2006"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}