Login to your server via SSH as the root user.
Run the following command to pull the most used mailing script’s location from the Exim mail log:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Code breakdown:

You should get back something like this:

15 /home/userna5/public_html/about-us 25 /home/userna5/public_html 7866 /home/userna5/public_html/data

We can see **/home/userna5/public_html/data** by far has more deliveries coming in than any others.

Now we can run the following command to see what scripts are located in that directory: ls -lahtr /userna5/public_html/data In thise case we got back: drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../ -rw-r--r-- 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./ So we can see there is a script called mailer.php in this directory

Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n

You should get back something similar to this:

2 2 2 7860

We can see the IP address **** was using our mailer script in a malicious nature.

If you find a malicious IP address sending a large volume of mail from a script, you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again.This can be accomplished with the following command:

csf -d "Spamming from script in /home/userna5/public_html/data"

Hopefully you’ve learned how to use your Exim mail log to see what scripts on your server are causing the most email activity. Also how to investigate if malicious activity is going on, and how to block it.

Did this answer your question?