The other day I found that one of the domains on a busy server was sending unsolicited spam mail thousands of times a day. It happens: the nature of open source scripts is that they will get hacked if they’re not updated regularly.
The clue was a full-up mail queue and Gmail no longer accepting mails from the IP in question.
When I examined one of the spam mails I found a line like this:
X-PHP-Originating-Script: 10040:listr3b.php
Good to know the spam was sent from a PHP script… but from which domain? All we have here is the user ID of the domain in question (10040) but that doesn’t mean much to the average human administrator.
Here’s how to translate that Plesk User ID into the domain it’s coming from:
grep 10040 /etc/passwd evilusername:x:10040:505::/var/www/vhosts/evildomain.com:/bin/false
Replace the user ID with your own, and the result is the user name, as well as the domain path in question.