Finding spam sending PHP scripts on a linux server

/, Debian, Linux/Finding spam sending PHP scripts on a linux server

Finding spam sending PHP scripts on a linux server

Sometimes there are users on a server that may have installed old PHP scripts with known security gaps this can cause that this PHP scripts will spam senders. Finding these PHP scripts could be very difficult.

With the release of of PHP 5.3 they have added new functionality to make it easier to handel the tracking of spammers or exploited web forms.

The new functions are affected by settings in the server php.ini, you should have a more detailed look on the offical documentation (

If we open the server php.ini file we should find the following 3 settings:

  • mail.add_x_header (Add X-PHP-Originating-Script that will include UID of the script followed by the filename.)
  • mail.log (The path to a log file that will log all mail() calls. Log entries include the full path of the script, line number, To address and headers.)
  • mail.force_extra_parameters (Force the addition of the specified parameters to be passed as extra parameters to the sendmail binary. These parameters will always replace the value of the 5th parameter to mail(), even in safe mode.)

To enable the functionality, the settings are configured as follows:
mail.add_x_header = On
mail.log = /var/log/phpmail.log

The first setting enabled the header for outgoing emails that is quite useful to identify the script that sent the spam message with mail, with the second setting we configure that every email that sent through the php mail function will create a new log entry within the defined log file. We need also to ensure that the log file is owner and writable by the relevant web server process.

The PHP mail header looks like the following sample (1012 = UID):
X-PHP-Originating-Script: 1012: phpmailer.php

A sample log file entry is shown below:
[25-Apr-2016 18:16:41 UTC] mail() on [/var/www/httpdocs/wordpress/wp-includes/class-phpmailer.php:677]: To: -- Headers: Date: Mon, 25 Apr 2016 18:16:41 +0000 From: ScriptTest Message-ID: X-Mailer: PHPMailer 5.2.14 ( Reply-To: Daniel MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit


By | 2016-10-29T13:50:15+00:00 May 24th, 2016|Allgemein, Debian, Linux|Comments Off on Finding spam sending PHP scripts on a linux server