PHP Spam Scripts

PHP Spam Scripts

I finally decided this topic deserves its own page.
To find the script sending spam
Plesk

Ver -11.0


cat /var/www/vhosts/domain.com/statistics/logs/access_log | grep POST > /tmp/post.log

Ver 11.5+


cat /var/www/vhosts/system/domain.com/statistics/logs/access_log | grep POST > /tmp/post.log

WHM cPanel


cat /usr/local/apache/domlogs/domain.com | grep POST > /tmp/post.log

View the results


cat /etm/post.log

78.138.118.128 - - [02/Jan/2014:10:51:41 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:52:54 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:54:13 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:55:18 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"
78.138.118.128 - - [02/Jan/2014:10:56:32 -0500] "POST /tmp/sys09725841.php HTTP/1.1" 200 181 "-" "-"

Joomla

This file often appears in /tmp/sysNNNNNNNN.php file
1. /tmp is 777
2. the sysNNNNNNNN.php is usually accompanied by a .zip file
3. .php and .zip are owned by apache

Leave a Comment