Skip to main content
hacked website sending emails on cpanel server

Hacked website sending e-mails automatically on cPanel server

Last week, I noticed my dedicated server (exim) was sending huge amounts of e-mails. In cPanel > E-mail > Mail Queue Manager, there were over 6000 e-mails in the exim queue to be sent from a specific e-mail address of an account on my server.

I currently run a dedicated server that hosts about 250 web design clients, so keeping a constant eye on every account is impossible, though, I check the mail queue and server resource usage quite regularly to ensure that nothing fishy is going on.

To do a fast and easy scan of your cPanel / WHM server, use putty to generate a report of all of the highest e-mail sending accounts, this will allow you to find the location of any scripts / hacks that are causing your issues.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n 

The report looks like this:


The report will show legitimate accounts that send e-mail as well because when a form is submitted through a website, it uses exim as well however you can use this list to see unusual folders or accounts sending too many e-mails to get to the bottom of the problem.

I hope this helps you, it helped me find the issue, delete the offending PHP file that was sending the ridiculous amounts of spam e-mail. Obviously this will not fix your website in the long run, you’ll need to find a way to stop it from happening again. If you run a WordPress website, check my checklist of fixing a hacked website.

Leave a Reply