A couple of times I have been called to investigate a web server, running a PHP application such as WordPress, that is sending spam mail and remove function responsible.
Firstly, we need to know which script the message is originating from.
Add the following line and save
mail.add_x_header = On
And restart the php service (I use php-fpm)
service php-fpm restart
This will add the following header to all messages that originate from the server which defines the UID and filename of script.
If you don’t have the message headers then we’ll have to do some investigating.
I’m using Exim at the moment but the process is similar for other mail servers like Postfix or Sendmail.
I want to try and locate the offending message or messages so I’ll have to check the logs. I know the message was recent so in this case I just want to tail the end of the log.
Each message has a unique ID which is usually the third column along after date and time.
2015-11-18 10:58:38 1Zz0Nc-00067L-1N email@example.com [188.8.131.52]
I can reveal the headers of that message like so
/usr/sbin/exim -Mvh 1Zz0Nc-00067L-1N
And you’ll have the headers displayed in your terminal along with X-PHP-Originating-Script
Say we know the offending file is object.php and it’s being sent via our application, we now need to fine and remove script.
find /home/mysite.com -iname "object.php"
Voilà! Your offending script.