Skip to main content

Search for a malicious mail script

Comments

4 comments

  • cPanelLauren
    Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs. You can very simply do the following: grep cwd /var/log/exim_mainlog
    You could also do something more detailed such as the following: [root@server ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n
    This will output the path and number of emails sent from that path
    0
  • paulw32
    Thanks. I'll give it a go and save it for any future issues.
    0
  • paulw32
    Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs. You can very simply do the following: grep cwd /var/log/exim_mainlog
    You could also do something more detailed such as the following: [root@server ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n
    This will output the path and number of emails sent from that path

    Sorry, I just got around to testing this code, but I couldn't make it work? Is there something specific in the way I need to enter the code in terminal or do I just copy and paste?
    0
  • paulw32
    Sorry, I just got around to testing this code, but I couldn't make it work? Is there something specific in the way I need to enter the code in terminal or do I just copy and paste?

    Scratch that. All good. Thanks again
    0

Please sign in to leave a comment.