Finding spam sending PHP scripts on your server

PHP LogoEveryone has the occasional user who may leave something on their server that may send spam, or not update things as fast as they should. Tracking down the spammer can be a real problem though.
Sometimes you can track down the domain, but not the script, other times they may have so many files that its nearly impossible.

Recently, with the release of of PHP 5.3, they have enabled some brilliant tracking of spammers or exploited web forms by implementing some great features. One of those features is the configuration for email

By simply adding the following 2 lines into your php.ini then you can track down pretty much any outgoing spam using PHP

mail.add_x_header = On
mail.log = /var/log/phpmail.log

The first one adds a header to all outgoing email. You may or may not want this one as it will give out information about your setup and config (eg uids, script locations), you also are probably not receiving the spam so its not much help too you. However, having received some spam today i checked the headers, and was able to email the owner of the server the exact location of his spam, so you never know.
The second line logs the entire lot to a log file. It’s important to make sure that log file is owner and writeable by the webserver, and that it is being rotated by logrotate also.

With these in place your emails will have the following headers

X-PHP-Originating-Script: 33:ok.php

The 33 is the UID, the ok.php was the script sending me the spam.

An example of what is logged in the phpmail.log

mail() on [/var/www/vhosts/]: To: -- Headers: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes Content-Transfer-Encoding: 8Bit X-Mailer: Drupal Sender: From:


Your php.ini will be in /etc/php.ini if you are using a RedHat based distro (Centos, Fedora, etc) and in /etc/php5/apache/php.ini if you run a Debian derivative (Ubuntu, etc). If you need a hand setting this up, just drop us an email.

5 responses to “Finding spam sending PHP scripts on your server”

  1. I recently received an email alert from Bank of America asking me to download an html file/form and give out all my personal banking information! It resulted in a script that submitted the data via a website that had a server.php ending to the URL. Is there any way to trace/track the phishing server using this URL, which then automatically redirects back to the Bank of America? If someone fell for this scam, they would end up giving everything to the scammer wiping out their accounts.

    Here is the URL:

    I am a total newbie to this level of information so please forgive me. Just trying to stop this activity!

    • Unless that server.php is on a server you can get access to then there is nothing you can do other than ring up and change your banking login quick smart. It would pay to check the domain whois and let them know, as well as the people who own the domain. I see that webpage is now redirecting to the correct website in any case, looking like its been fixed.

  2. If i switch on this parameter in my php.ini on my server (Centos), it can compromise the functionality of my Parallel plesk panel?

    • Best to do that as a php_admin_value in the vhost.conf for each site, or add it into the man php.ini for the whole server. Either way will be fine.