If the spam mails are not in queue, then we need to check in logs to find out details of spamming. Unless we are not sure what to check in logs, it would be difficult to find the traces of spamming from logs. In such situations, you can use the following method to figure out the details.

1. Use eximstats to get an idea on the mail distribution on server.

# eximstats exim_mainlog

Two things are important in the output:

a) The date range of the output. For example:

Exim statistics from 2013-11-11 04:39:07 to 2013-11-16 13:29:39

b) Deliveries per hour

Deliveries per hour (each dot is 124 deliveries)

00-01 232 .
01-02 155 .
02-03 77
03-04 68
04-05 87
05-06 101
06-07 102
07-08 97
08-09 145 .
09-10 188 .
10-11 175 .
11-12 6183 ………………………………………….
12-13 2505 ………………..
13-14 361 ..
14-15 338 ..
15-16 256 ..
16-17 874 …….
17-18 448 …
18-19 337 ..
19-20 296 ..
20-21 272 ..
21-22 190 .
22-23 242 .
23-24 272 ..

In the above details, you can find a huge delivery of mails between 11-12 hours and 12-13 hours. This is something that we need to further look into to find the details.

2) Find the day in which these mails had been sent from server.

From the date range details, you can find the details of the days. To find the details for a specific date, you need to use the command as:

# grep 2012-11-12 exim_mainlog|eximstats

In this case, the output I observed was the following:

Deliveries per hour (each dot is 121 deliveries)

00-01 206 .
01-02 140 .
02-03 50
03-04 36
04-05 33
05-06 30
06-07 37
07-08 29
08-09 26
09-10 40
10-11 41
11-12 6044 ………………………………………….
12-13 2270 ………………
13-14 166 .
14-15 197 .
15-16 142 .
16-17 684 …..
17-18 256 ..
18-19 119
19-20 72
20-21 58
21-22 6
22-23 71
23-24 5

So, this is what we need to look for details specifically.

3) Find the specific part from the logs.

This is relatively easy as all needed is to run the grep command as:

# grep “2012-11-12 11” exim_mainlog

Sample entries I observed were the following:

2012-11-12 11:01:44 1TXwSG-0002xj-0m <= a@g.com U=a P=local S=1051 T="REMAX November Offer| Exclusive Properties For Sale At Lower Price" for n@a.com
2012-11-12 11:01:44 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1TXwSG-0002xj-0m
2012-11-12 11:01:44 cwd=/home/a/public_html/el.com/wp-content/themes 3 args: /usr/sbin/sendmail -t -i
2012-11-12 11:01:44 1TXwSG-0002xj-0m SMTP connection outbound 1352736104 1TXwSG-0002xj-0m a.com n@g.com

There were thousands of such entries and this server had been blacklisted almost everywhere.

You can also search in logs for cwd= pattern. If you need to find out the volume it is better to use eximstats.

To get a sorted list of email sender in exim mail queue. It will show the number of mails send by each one.

# exim -bpr | grep “<" | awk {'print $4'} | cut -d "” -f 1 | sort -n | uniq -c | sort -n

The following scripts will check the script that will originate spam mails:

# grep “cwd=/home” /var/log/exim_mainlog | awk ‘{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n

# awk '{ if ($0 ~ "cwd" && $0 ~ "home") {print $3} }' /var/log/exim_mainlog | sort | uniq -c | sort -nk 1

# grep 'cwd=/home' /var/log/exim_mainlog | awk '{print $3}' | cut -d / -f 3 | sort -bg | uniq -c | sort -bg

If we need to find out exact spamming script. The following script will shows the current spamming script running now. The following script will help you in all time of mail servers. It will help you to find the exact script which sending mails.

# ps auxwwwe | grep | grep –color=always “” | head

The usage of the above script is as shown below.

# ps auxwwwe | grep test8 | grep –color=always “/home/test8/public_html/wp/wp-content/themes/twentyeleven” | head

Once you find the exact script, the following script will help you to find the IP address which is responsible for spamming. You will get a list of IPs from the following script. The IPs address which has high number of access is most probably causing spamming. You can block the IP address in csf or apf firewall.

# grep “” /home/user/access-logs/testdomain.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n


Following command that will show you the script which is using script to send the email. If it is from php then use

# egrep -R “X-PHP-Script” /var/spool/exim/input/*


It shows top 50 domains using mail server with options.

# eximstats -ne -nr /var/log/exim_mainlog


It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.it shows the mails going from the server.

# ps -C exim -fH ewww | grep home

It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.

# netstat -plan | grep :25 | awk {‘print $5’} | cut -d: -f 1 | sort | uniq -c | sort -nk 1

In order to find “nobody” spamming, issue the following command

# ps -C exim -fH ewww | awk ‘{for(i=1;i<=40;i++){print $i}}' | sort | uniq -c | grep PWD | sort -n

It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

# grep "cwd=" /var/log/exim_mainlog | awk '{for(i=1;i<=10;i++){print $i}}' | sort | uniq -c | grep cwd | sort -n


The following script will give the summary of mails in the mail queue.

exim -bpr | exiqsumm -c | head

1. Create a file named chpass.sh with the following contents in it.

cat /etc/trueuserdomains | awk ‘{print $2}’ | while read user; do
pass=`> passwords.txt
/scripts/realchpass $user $pass
/scripts/ftpupdate ===================================================================

2. Give executable permission to the script.

# chmod +x chpass.sh

3. Run the script and you will get a file named passwords.txt with all cpanel users with their new passwords.

# sh chpass.sh

You can use random string generate scripts like the following generate passwords.

pass=`date | md5sum | head -c16 | xargs`
pass=`openssl rand -base64 128 | head -c16 | xargs`
pass=`strings /dev/urandom | tr -dc .~?_A-Z-a-z-0-9 | head -c16 | xargs`


In some cases when executing /scripts/realchpass script will showing the following error.

ERROR: /usr/local/cpanel/scripts/realchpass
Invocation changes only the system
password and does not have any effect
on other services associated with your
cPanel account, including FTP, SSH,
WebDAV, and FrontPage. It is strongly
encouraged for you to change the
password via the WHM & cPanel
interface. You can force a password
change through this script by setting
the environment variable

You can fix the above error by running the following command. After that execute the script again.



When creating a mail account using cpanel, it is showing an error as showing below.


File open for /home/user/etc/domain.com/passwd failed with error No such file or directory


The error is because of the the wrong permssions or missing of the ‘etc’ directory in user’s document root.
You can create a new direcory in that name and given permissions as like follows to solve the issue.
Let ‘jijo’ be the cpanel user having the issue.

root@server [~]# cd /home/jijo
root@server [/home/jijo]# mkdir etc
root@server [/home/jijo]# chmod 750 etc
root@server [/home/jijo]# chown jijo.mail etc

Installing Ruby on Rails on cPanel

Posted: March 21, 2014 in cPanel

In cpanel it is easy to install Ruby using the following cpanel script.

# /scripts/installruby

Some times the cPanel scripts installer does not work properly and does not install them. So you can run the following commands to install Ruby.

# gem install rails
# gem install mongrel
# gem install fastthread

Open ports 3000 and 12001 if you’re running a firewall

If you have installed LIBSAFE, uring the installation you may encounter an Overflow error and the installation will stop. You have to add /usr/bin/ruby to LIBSAFE exception list.
The installation log may as like follows.
0x8052e4a /usr/bin/ruby
0x8bbde7 /lib/libc-2.5.so
Overflow caused by memcpy()

You can add /usr/bin/ruby to LIBSAFE exception list by using the following command.

# echo “/usr/bin/ruby” >> /etc/libsafe.exclude
# echo “/usr/bin/ruby-bin” >> /etc/libsafe.exclude

Try running the installation again… This time there will not be any Overflow errors while installation…


When try to access phpMyAdmin from cPanel it is showing the following error.

Fatal error: session_start() [function.session-start]: Failed to initialize storage module: sqlite (path: /var/cpanel/userhomes/cpanelphpmyadmin/sessions/phpsess.sdb) in /usr/local/cpanel/base/3rdparty/phpMyAdmin/libraries/session.inc.php on line 92


Login as root user via ssh,

open the file, /usr/local/cpanel/3rdparty/etc/phpmyadmin/php.ini in your favourate editor and search for the following entries in it.

session.save_handler = sqlite
session.save_path =/var/cpanel/userhomes/cpanelphpmyadmin/sessions/phpsess.sdb

Change the above two lines to as follows.

session.save_handler = files
session.save_path = /var/cpanel/userhomes/cpanelphpmyadmin/sessions

If the direcroty exists, remove all session files from there.

# rm -f /var/cpanel/userhomes/cpanelphpmyadmin/sessions/sess*

If the directory, /var/cpanel/userhomes/cpanelphpmyadmin/sessions does not exist, create it.

# mkdir -p /var/cpanel/userhomes/cpanelphpmyadmin/sessions

change the permission of /var/cpanel/userhomes/cpanelphpmyadmin/sessions as follows.

# chmod 1777 /var/cpanel/userhomes/cpanelphpmyadmin/sessions

Once you have done the above changes, restart apache.

# /etc/init.d/httpd restart

Try loading phpMyAdmin again…

I have followed the following steps to create custom php.ini for a user in cpanel server. There is suphp enabled in the server.

# cp /usr/local/lib/php.ini /home//public_html/php.ini

I have created a phpinfo page and accessed in browser and it is found that it still loading server’s default(/usr/local/lib/php.ini) php.ini

Later it is found that there is SuExec Enabled Server.

root@server [~]# httpd -M | grep su
suexec_module (static)
suphp_module (shared)
Syntax OK

The configuration changes given below will help you to enable Custom php.ini on SuExec and suphp Enabled Server.

Open /opt/suphp/etc/suphp.conf in yourfavourate editor and search for the following lines.

;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.

The above suphp configuration forces suphp to use the php.ini from /usr/local/lib/. You can comment those line to resolve the loading issue of custom php.ini file. So the configuation will look like as follows after the change.

;Uncommenting these will force all requests to that handler to use the php.ini
;in the specified directory regardless of suPHP_ConfigPath settings.

Once you made the changes, restart apache to make changes in effective.

# /etc/init.d/httpd restart

Try to load phpinfo page again and verify the result.