Home Web Hosting Diagnosing and Fixing Compromised Email Scripts on Shared Hosting

Diagnosing and Fixing Compromised Email Scripts on Shared Hosting

Last updated on Aug 08, 2025

Diagnosing and Fixing Compromised Email Scripts on Shared Hosting

**Description:**A step-by-step guide to help shared hosting customers identify unauthorized email-sending scripts, secure their mailboxes, and prevent automatic account suspensions due to email abuse or compromise.

Table of Contents

Introduction

On shared hosting, compromised email scripts can cause spam sending, blacklisting of your domains or server IP, and automatic account suspensions. This guide is designed to help you find and fix unauthorized email-sending scripts, and secure your hosting account—using only the tools available to you as a shared hosting customer.

Symptoms of a Compromised Email Script

Be alert for these indicators:

  • You receive a suspension or abuse notice about spam email activity.
  • Your mailbox is flooded with delivery failure or bounce-back messages for emails you did not send.
  • cPanel or your hosting provider flags excessive outgoing email activity.
  • Your website or domain ends up on blacklists with major email providers like Gmail or Outlook.
  • You discover unfamiliar PHP or script files in your hosting directories.

Step 1: Identify Unauthorized Email Activity

Check Outbound Email Logs in cPanel

  1. Log in to cPanel.
  2. Navigate to Email > Outbound Email.
  3. Review recent outgoing emails for suspicious activity, such as:
    • Large volumes of emails sent in a short time.
    • Emails sent from unknown mailboxes or scripts.
    • Unfamiliar recipient addresses.

Example: Reviewing Outbound Email Logs

Look for log entries like:

user@yourdomain.com -> recipient@example.com
Sent via /home/username/public_html/wp-content/themes/oldtheme/mail.php

Pay close attention to unknown script paths or unexpected senders.

Step 2: Locate and Remove Malicious Scripts

Use File Manager to Search for Suspicious Files

  1. In cPanel, open File Manager.

  2. Sort files by "Last Modified" date in /public_html and all subdirectories.

  3. Look for files with unusual names, especially those like mail.php, mailer.php, sendmail.php, or anything that looks unfamiliar.

  4. Open suspect files and check for code such as:

    mail($to, $subject, $message, $headers);

    or

    eval(base64_decode("..."));

Remove Malicious Scripts

  • Delete any files you did not create, or that are clearly meant for unauthorized email sending.
  • If you're not sure, rename the file (e.g., mail.php.suspected) to avoid breaking your site while you investigate further.

Scan for Malware with cpGuard in cPanel

  • Go to cPanel > cpGuard.
  • Run a full malware scan on your home directory.
  • Follow cpGuard’s recommendations to clean, quarantine, or remove any infected files it finds.

cpGuard provides advanced malware detection and is recommended for shared hosting customers for routine scans.

Step 3: Secure Your Mailboxes and Accounts

Change All Email Account Passwords

  1. In cPanel, go to Email Accounts.

  2. For each mailbox, click Manage and set a new, strong password.

  3. Use a password manager or generate secure passwords using:

    cPanel > Password Generator

Remove Unused Email Accounts and Forwarders

  • Delete any email accounts or forwarders you do not recognize or no longer require.

Update Website CMS, Plugins, and Themes

  • Log in to your CMS (like WordPress, Joomla, etc.).
  • Update all core software, plugins, and themes to the latest versions.
  • Remove any plugins or themes you don’t use or that are outdated.

Step 4: Prevent Future Compromises

Best Practices

  • Keep all website and plugin software up to date.

  • Use strong, unique passwords for every account and mailbox.

  • Regularly scan your site for malware using cpGuard or reputable security plugins (e.g., Wordfence for WordPress).

  • Restrict file permissions:

    chmod 644 file.php
chmod 755 directories/

  • Avoid installing outdated or nulled (pirated) plugins or themes.

  • Enable email authentication (SPF, DKIM, DMARC) using cPanel > Email Deliverability for each domain.

Troubleshooting and Common Issues

Emails Still Being Sent After Cleanup

  • Check for hidden or disguised scripts in directories outside public_html or in non-public folders.
  • Review your cron jobs in cPanel:
    • Go to cPanel > Cron Jobs and inspect all scheduled tasks for anything that may trigger email scripts.

Site Is Blacklisted or IP Is Blocked

  • Once your account is cleaned, use Google Postmaster or other blacklist removal services to request delisting.
  • Update your SPF, DKIM, and DMARC records to help restore deliverability and improve reputation.

Password Reset Issues

  • If you’re unable to reset a password, use the cPanel "Forgot Password" function or reach out to support for assistance.

When to Contact Support

Contact support if:

  • You cannot identify or successfully remove the malicious script.
  • Email abuse persists after completing all cleanup steps.
  • Your cPanel is inaccessible, or you’re uncertain about performing any steps above.

Submit a support ticket including:

  • The affected domain(s)
  • Steps you have already taken
  • Any relevant error messages or log excerpts

By following this guide, you can restore and maintain the security of your email and hosting account, reducing the risk of account suspension and safeguarding your online reputation.