Find Spam Script location with Exim


Step 1.  Login to your server via ssh as root user.

Step 2.  Run the following command

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n

You should get back something like this:

15 /home/userna5/public_html/about-us
25 /home/userna5/public_html
7866 /home/userna5/public_html/data

Step 3.  Now we can run the following command to see what scripts are located in that directory:

ls -lahtr /userna5/public_html/data

In thise case we got back:

drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
-rw-r–r– 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./

So we can see there is a script called mailer.php in this directory

Step 4.  Knowing the mailer.php script was sending mail into Exim, we can now take a look at our Apache access log to see what IP addresses are accessing this script using the following command:

grep “mailer.php” /home/userna5/access-logs/example.com | awk ‘{print $1}’ | sort -n | uniq -c | sort -n

You should get back something similar to this:

2 123.123.123.126
2 123.123.123.125
2 123.123.123.124
7860 123.123.123.123

So we can clearly see that the IP address 123.123.123.123 was responsible for using our mailer script in a malicious nature.

Step 5.  If you did find a malicous IP address sending out a large volume of messages from a script on your server you’ll probably want to go ahead and block them at your server’s firewall so that they can’t try to connect again. This can be accomplished with the following command:

apf -d 123.123.123.123 “Spamming from script in /home/userna5/public_htm/data”

source : http://www.inmotionhosting.com/support/email/exim/find-spam-script-location-with-exim

Tinggalkan Balasan

Isikan data di bawah atau klik salah satu ikon untuk log in:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Foto Google

You are commenting using your Google account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s