Find which PHP script is sending spam emails

You have a WordPress blog that has been compromised or hacked. Some script on the server is sending spam emails and you do know which one. Try the following steps to find and remove the bad script.

1. Create a file called phpmail.log

touch /var/log/phpmail.log

2. Change permissions on the file so that the web server can write to it. This can be done in many ways.

chown httpd:httpd /var/log/phpmail.log

or

chmod 777 /var/log/phpmail.log

3. Locate your php.ini file (in case of RHEL, CenOS and SuSE, it will here: /etc/php.ini). Edit/add the following two lines are in file

mail.add_x_header = On
mail.log = /var/log/phpmail.log

4. Restart your web server

service httpd restart

5. Now tail the log file…

tail -f /var/log/phpmail.log

When an email is sent from a PHP script you will see an entry in the log that looks like this…

mail() on [/var/www/html/site2/wp-content/plugins/wp-image-hover-lite/admin/functions.php(1967) : eval()’d code:775]: To: s.nebers@somedomain.uk — Headers: Date: Mon, 26 Dec 2016 06:55:17 +0000 From: Joe Smith <joe_smail@acme.com> Message-ID: <5cd2be098536da5aefaba80101b8a1a3@acme.com> X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=”b1_5cd2be098536da5aefaba80101b8a1a3″ Content-Transfer-Encoding: 8bit

In this case the offending script can be seen in bold above. Check out this script and delete it if it looks suspicious.

Linux: Find the largest files and directories

This command will list top 10 files and directories by size.

find / -printf '%s %p\n'| sort -nr | head -10

To find just the large files and skip the directories, run the following command

find / -type f -printf '%s %p\n'| sort -nr | head -10

 To fine the large files of a certain type, run the following command

find / -type f -iname "*.gz" -printf '%s %p\n'| sort -nr | head -10

An alternate way of finding out the biggest files and folders is:

du -a / | sort -n -r | head -n 10

Linux: Which directory has the most files?

An inode is used for every file in the filesystem. If the system is running out of inodes that means there are some directories with a lot of files in them.

The following command will find the directories with most files.

find / -xdev -printf '%h\n' | sort | uniq -c | sort -k 1 -n

The following command list free inodes on all filesystems

df -hi