I'm running a number of accounts on my server and every once in a while something will be exploited that will send spam using some compromised script. The problem is finding out exactly from what account and what script.
Now I've been able to look at the headers to identify which account it is -- it will usually be [email protected] so "accountname" will identify the offending domain. So I go look at my logs to see the activity, which can sometimes be an incredibly long list. Sometimes I can spot the suspicious activity and try to start around the time bounced mail comes back from the barrage of spam.
What methods do you guys use to spot zombie attacks like this? How about being able to track processes that are running and shut the right ones down? I can appreciate some of this from knowing which processes are not problematic from experience. But how do you know that when PHP is running it isn't because of the compromised script? I usually clean out the mail queue quickly and restart exim if need be.
Would be great to have some tips and tricks as I've become more familiar with doing this completely solo and the attacks get more creative... many thanks to you all.
(PS - I have had suexec recently installed by someone and am trying to learn how it might help me other than letting it run and doing its thing.)
(PPS - I also readily admit while I've learned a great deal, I will likely need to find some good resources on going from beyond the basics towards intermediate and advanced.)
i usually search in the logs for the time and date the email was sent.
Doing that now but there is something running in top (I see 4 zombies listed but don't know what they are) that is throwing out hundreds of emails per minute. So if there is an entry, it's just a single one in a busy log.
How about identifying zombie processes while in top to kill them? How can you tell which should not be there and might be the culprits? I see about 15 entries for exim (I can't even scroll to see every entry in top in ssh) so something is generating these emails.
Thanks for your reply and all others!
PS - I just located the source of the script. Someone was using a temporary directory used for caching off the root that was chmoded at 777. They uploaded a script there and ran files off of it. I'm not sure of the best way to handle such issues since many scripts seem to be written to use a directory, e.g. public_html/tmp which is set to a 777 permissions and thus this seems like it can happen again.
Not much use in shutting down a process if you don't what started it.
# top -ic << will show running processes only for easy viewing
# ps aux|grep nobody << should only show 'httpd' anything else is bad
Then there is the whole process of securing your Server to prevent hacker scripts from working, even if they have been able to be uploaded. Best to hire your DC or someone else, if not sure how to do it yourself.
PotentProducts.com - for all your Hosting needs
Helping people Host, Create and Maintain their Web Site
ServerAdmin Services also available