| Posted by thedutchlaw, 09-22-2008, 09:46 AM | | Hello. I am using a plain Plesk Server, which is well secured as far as I know. It's running 300 websites.
I do have some clients who are using insecure PHP scripts, so sometimes there is a 20.000 e-mail queue, which is filled with spam.
I wish to look up the sender of spam easily.
Unfortunately 'cat /var/qmail/queue/0/3023230' will only tell me the date of the e-mail sent. If I look up in maillog, it will tell me if it was sent via SMTP or Apache.
But if it is sent via Apache, then I have a problem. I cannot tracert which specific php-file sends out the spam, even though I have a /var/log/spam_log according to tutorials, it doesn't help much.
How do you trace which PHP-file is exploited and sends out the spam?
|
| Posted by hosting_we3cares, 09-22-2008, 10:04 AM | | Hi,
Try this,
http://www.webhostgear.com/353.html
<>
Last edited by bear; 09-27-2008 at 12:13 PM.
|
| Posted by thedutchlaw, 09-22-2008, 11:15 AM | | root@server06 scripts]# /usr/local/nobody_check/nobody_check
Nobody Check 1.0.3 Current
Running on Plesk
Copyright (c) 2006 Wave Point Media Inc
Made available by wwwebhostgear.com
Options: kill bad proc=1 logging lvl=1
Initializing Scan on Mon Sep 22 17:10:18 CEST 2008 ...
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
Done Scanning
Clean Processes: 51
Your server is all clean and safe - keep up the good work!
[root@server06 scripts]#
[root@server05 scripts]# wget wwwebhostgear.com/projects/nobodycheck/in stall.sh
--17:10:40-- wwwebhostgear.com/projects/nobodycheck/install.sh
Resolving wwwebhostgear.com... 70.86.41.194
Connecting to wwwebhostgear.com|70.86.41.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1111 (1.1K) [application/x-sh]
Saving to: `install.sh'
100%[=======================================>] 1,111 --.-K/s in 0s
17:10:43 (96.3 MB/s) - `install.sh' saved [1111/1111]
[root@server05 scripts]# sh install.sh
Installing Nobody Check now...
Checking for existing install
Continuing...
--17:10:45-- wwwebhostgear.com/projects/nobodycheck/nobody_check.tar.g z
Resolving wwwebhostgear.com... 70.86.41.194
Connecting to wwwebhostgear.com|70.86.41.194|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2953 (2.9K) [application/x-tar]
Saving to: `nobody_check.tar.gz'
100%[=======================================>] 2,953 --.-K/s in 0.1s
17:10:45 (28.4 KB/s) - `nobody_check.tar.gz' saved [2953/2953]
nobody_check/
nobody_check/nobody_check
nobody_check/nc.conf
Cleaning up
*******************************
Nobody Check Install Complete!
*******************************
Installed to: /usr/local/nobody_check
Modify the config file nc.conf
[root@server05 scripts]#
[root@server05 scripts]# nano /usr/local/nobody_check/n
nc.conf nobody_check
[root@server05 scripts]# nano /usr/local/nobody_check/nc.conf
[root@server05 scripts]# /usr/local/nobody_check/nobody_check --help
^[[ANobody Check 1.0.3 Current
Running on Plesk
Copyright (c) 2006 Wave Point Media Inc
Made available by wwwebhostgear.com
Options: kill bad proc=1 logging lvl=1
Initializing Scan on Mon Sep 22 17:11:34 CEST 2008 ...
http d is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
httpd is httpd ...clean
DETECTION: Process 32236 with name httpd and path /var/www/vhosts/notabene.com/httpdocs/language/AhoK/httpd
Done Scanning
DETECTED Malicious Processes: 1
Your servers has found harmful processes - check them right away!
A detailed report has been emailed to dentist@john.nl
[root@server05 scripts]
First of all. Thank you!
But such a malicious process on what I thought was a protected server... does scare me a little.
How do they manage to get this process running, even though safemode is on... and they're in a chrooted environment.
Last edited by thedutchlaw; 09-22-2008 at 11:23 AM.
|
| Posted by hosting_we3cares, 09-23-2008, 05:23 AM | | Hi,
Chances are there when any of the webfolders are kept with permission 777.
Malicious users can upload their scripts inside that and execute them.
You may perform a security check in your server.
<>
Last edited by bear; 09-27-2008 at 12:13 PM.
|
| Posted by rathin, 09-23-2008, 05:47 AM | | my httpd process running as nobody that will also cleaned up?
|
| Posted by hosting_we3cares, 09-23-2008, 06:22 AM | | Hi,
Nope, this script do not delete or cleanup any file or process. It will just check and warn you.
<>
Last edited by bear; 09-27-2008 at 12:12 PM.
|
| Posted by thedutchlaw, 09-26-2008, 03:35 PM | | Hello. Thanks for your answers. Unfortunatly there was no answer that helped me solve my spam problems.
I am looking for a techsupport guy who is willing to work for $20 per hour for me.
I need quite a few Linux server works to be done. It will be about 12-14 hours work.
Do you know one? Please send me a PB with his MSN or e-mail address. I prefer good experience and fast e-mail response time.
Are you one? Contact me via PM and send your MSN or e-mail address.
|
| Posted by thedutchlaw, 09-27-2008, 06:39 AM | | Feel free to comment. I have some technical server problems that will eventually cost me clients.
|
| Posted by crazyaboutlinux, 04-29-2010, 01:54 AM | | The download link is not working
ttp://www.webhostgear.com/projects/nobodycheck/install.sh
|
| Posted by david510, 04-29-2010, 03:22 AM | | Have a check with them. We may not have another copy in other sites.
|
|
 Add to Favourites
 Print this Article
|
