Did you ever face any of the following issue in your server?

  • You can’t send email from your domain because your server IP blocked by several RBL Sites
  • Your word press website hacked and you can’t login to wp-admin
  • In your cPanel/WHM mail que manager, thousands of email in Que. but you don’t know which script sending this emails

Well in this article we will discuss about how to fix bulk email sending problem causing by malicious email script

You may wondering why hacker spending hours to hack your small website. Well first of all this type of hackers do not hack individual websites by going each of them. They use bots to find the backdoor of your website like any coding error, less strong password or easy matching password, wordpress theme error, week server security etc. It is always suggested to use good secure web hosting, premium theme, plugins and update your website regularly. Hackers hack this small websites from all different servers and locations around the world so they can send bulk emails, stilling your website data specially if its an ecommerce website with clients credit card info, email list or sometime they ask for ransom.

So when a hacker send out thousands of email using your server, your IP get listed in RBL sites like Barracuda, Spamcop etc and you cant send your business email anymore from that IP.

Well in cPanel/WHM server, MTA (Mail transfer agent) or Exim handle the Email deliveries. All email activity logged including which script send emails. using this log you can easily track down how many emails was send and what is the script location.

To use this steps you need to login as root to your server via SSH. You can use putty in windows or terminal in Mac to login via SSH. Ones you login run the following command

This command will show you the most used mailing script location from the Exim mail log:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

You should get back something like this:

1 /home/ngebajak
4 /home/thetechbite/public_html
75 /home/afreehos/public_html/cp
427 /home/autoposf
428 /home/skidrowo
707 /
755 /etc/csf
90398 /home/thetech/public_html/

We can see /home/thetech/public_html/ by far has more deliveries coming in than any others.

Now we can run the following command to see what scripts are located in that directory:

ls -lahtr /home/thetech/public_html/

In this case we got back:

-rw-r–r–.  1 thetech thetech 3.3K Jan 13 19:32 wp-load.php
-rw-r–r–.  1 thetech thetech 4.5K Jan 13 19:32 wp-trackback.php
-rw-r–r–.  1 thetech thetech  85K Jan 13 19:32 wp-mall.php

So we can see there is a script called wp-mall.php in this directory

Knowing the wp-mall.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

grep “wp-mall.php” /home/thetech/public_html/wp-mall.php | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

You should get back something similar to this:

2 38.67.120.78
2 38.67.120.79
90398 107.221.89.12

We can see the IP address 107.221.89.12 was using our mailer script in a malicious nature.

If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again.

This can be accomplished with the following command:

apf -d 107.221.89.12 “Spamming script in thetech/public_html/wp-mall.php”

Or use CSF firewall in you WHM to block the IP.

Looking for a cheap managed web hosting who will handle your server professionally and update your website regularly? Check Gogetspace.com