Login Form

Stop PHP scripts SPAMMER on the Linux Plesk Server. How can I find domain names these scripts are running on?

Parallels Plesk Panel (8.x, 9.x)
If you think your server running under spamming using PHP script than you find what the folder the PHP script that sends mail was run from.
Here, are the steps:
1) Create one script with following content vi /var/qmail/bin/sendmail-wrapper.

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail “$@”

2) Now, create log file /var/tmp/mail.send and grant it “a+rw” rights, make it executable file, rename old sendmail and link it to the new wrapper:

~# touch /var/tmp/mail.send
~# chmod a+rw /var/tmp/mail.send
~# chmod a+x /var/qmail/bin/sendmail-wrapper
~# mv /var/qmail/bin/sendmail /var/qmail/bin/sendmail-qmail
~# ln -s /var/qmail/bin/sendmail-wrapper /var/qmail/bin/sendmail

3) Wait for some time about an hour’s and revert sendmail back:

~# rm -f /var/qmail/bin/sendmail
~# ln -s /var/qmail/bin/sendmail-qmail /var/qmail/bin/sendmail

Examine /var/tmp/mail.send file, there should be lines starting with “X-Additional-Header:” pointing out to domains’ folders where the scripts which sent the mail are located.
You can see all the folders mail PHP scripts were run from with the following command:

~# grep X-Additional /var/tmp/mail.send | grep `cat /etc/psa/psa.conf | grep HTTPD_VHOSTS_D | sed -e ‘s/HTTPD_VHOSTS_D//’

If you see no output from the command above, it means that no mail was sent using PHP mail() function from the Plesk virtual hosts directory.