Skip to content

PHP – Find which script is sending spam mail

A couple of times I have been called to investigate a web server, running a PHP application such as WordPress, that is sending spam mail and remove function responsible.

Firstly, we need to know which script the message is originating from.

Open php.ini

vi /etc/php.ini

Add the following line and save

mail.add_x_header = On

And restart the php service (I use php-fpm)

service php-fpm restart

This will add the following header to all messages that originate from the server which defines the UID and filename of script.

X-PHP-Originating-Script: 1000:object.php

If you don’t have the message headers then we’ll have to do some investigating.

I’m using Exim at the moment but the process is similar for other mail servers like Postfix or Sendmail.
I want to try and locate the offending message or messages so I’ll have to check the logs. I know the message was recent so in this case I just want to tail the end of the log.

tail /var/log/exim/main.log

Each message has a unique ID which is usually the third column along after date and time.

2015-11-18 10:58:38 1Zz0Nc-00067L-1N spamming@to.com [111.111.111.111]

I can reveal the headers of that message like so

/usr/sbin/exim  -Mvh 1Zz0Nc-00067L-1N

And you’ll have the headers displayed in your terminal along with X-PHP-Originating-Script

Say we know the offending file is object.php and it’s being sent via our application, we now need to fine and remove script.

find /home/mysite.com -iname "object.php"

Voilà! Your offending script.

Resources

Useful Exim commands

About 

10 years + experience in web development working with lots of different technology.

Published inLinuxPHP

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *