Home Linux PHP Learn How to find spam sending php script on server

How to find spam sending php script on server

Posted on April 21, 2014
No Comment BOOKMARK

This article can help you to track down outgoing spam using PHP.

From php version 5.3.0 we can use the directive mail.log to log who’s calling the function mail(). When someone calls the function mail() from a php script we can get some info about the sender in log.

PHP mail.log entries include the full path of the script, line number, To address and headers.

1. Check email log

#tail -f /var/log/maillog

2. Edit php.ini

#vim /etc/php.ini

3. To enable mail.log, add following line in php.ini 

mail.log = /var/log/phpmail.log

under

; Force the addition of the specified parameters to be passed as extra parameters
; to the sendmail binary. These parameters will always replace the value of
; the 5th parameter to mail(), even in safe mode.
;mail.force_extra_parameters =

4. Create log file

#touch /var/log/phpmail.log
#chmod 777 /var/log/phpmail.log

5. Restart apache

#service httpd restart

6. Open log and check output

#tail -f /var/log/phpmail.log

Sample Outputs: 

mail() on [/home/html/proj/install/local.php(256) : runtime-created function(1) : eval()'d code(1) : eval()'d code:3]: To: tiesto_hajjar@live.com -- Headers: From: aexj@abc.com  Reply-To: aexj@abc.com
mail() on [/home/html/proj/install/local.php(256) : runtime-created function(1) : eval()'d code(1) : eval()'d code:3]: To: tiemoko095@gmail.com -- Headers: From: palazg@abc.com  Reply-To: palazg@abc.com

7. Fix your php script

8. Last step, clear/delete/flush mail queue

After you fix the script problem, you may still see spam log in maillog, which delays parameter > 0.
This because the mail was not send successful, it still in mail queue and wait for system to send it out again.
To quick solve this issue is permanently delete all e-mail messages in the Sendmail mail server (SMTP) queue.

You can use the mailq command sendmail -bp command to display a summary of the mail messages queued for future delivery. Type the following command:

#sendmail -bp

or

#mailq

You can cd to /var/spool/mqueue and delete all files if you want to get rid of all messages in the queue:

# cd /var/spool/mqueue/ 
# ls 
# rm -rf *
affiliate_link
Share this Post:
Digg Google Bookmarks reddit Mixx StumbleUpon Technorati Yahoo! Buzz DesignFloat Delicious BlinkList Furl
Tagged with:

Comments are closed.