Results 1 to 7 of 7
  1. #1
    Join Date
    Jun 2001
    Posts
    369

    Best way to ID compromised script?

    I'm running a number of accounts on my server and every once in a while something will be exploited that will send spam using some compromised script. The problem is finding out exactly from what account and what script.

    Now I've been able to look at the headers to identify which account it is -- it will usually be [email protected] so "accountname" will identify the offending domain. So I go look at my logs to see the activity, which can sometimes be an incredibly long list. Sometimes I can spot the suspicious activity and try to start around the time bounced mail comes back from the barrage of spam.

    What methods do you guys use to spot zombie attacks like this? How about being able to track processes that are running and shut the right ones down? I can appreciate some of this from knowing which processes are not problematic from experience. But how do you know that when PHP is running it isn't because of the compromised script? I usually clean out the mail queue quickly and restart exim if need be.

    Would be great to have some tips and tricks as I've become more familiar with doing this completely solo and the attacks get more creative... many thanks to you all.

    (PS - I have had suexec recently installed by someone and am trying to learn how it might help me other than letting it run and doing its thing.)

    (PPS - I also readily admit while I've learned a great deal, I will likely need to find some good resources on going from beyond the basics towards intermediate and advanced.)
    Last edited by badhat; 08-29-2006 at 10:45 PM.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    i usually search in the logs for the time and date the email was sent.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Jun 2001
    Posts
    369
    Quote Originally Posted by Steven
    i usually search in the logs for the time and date the email was sent.
    Doing that now but there is something running in top (I see 4 zombies listed but don't know what they are) that is throwing out hundreds of emails per minute. So if there is an entry, it's just a single one in a busy log.

    How about identifying zombie processes while in top to kill them? How can you tell which should not be there and might be the culprits? I see about 15 entries for exim (I can't even scroll to see every entry in top in ssh) so something is generating these emails.

    Thanks for your reply and all others!

    PS - I just located the source of the script. Someone was using a temporary directory used for caching off the root that was chmoded at 777. They uploaded a script there and ran files off of it. I'm not sure of the best way to handle such issues since many scripts seem to be written to use a directory, e.g. public_html/tmp which is set to a 777 permissions and thus this seems like it can happen again.
    Last edited by badhat; 08-30-2006 at 01:26 AM.

  4. #4
    Join Date
    Sep 2000
    Location
    Alberta, Canada
    Posts
    3,109
    Not much use in shutting down a process if you don't what started it.

    # top -ic << will show running processes only for easy viewing

    # ps aux|grep nobody << should only show 'httpd' anything else is bad


    Then there is the whole process of securing your Server to prevent hacker scripts from working, even if they have been able to be uploaded. Best to hire your DC or someone else, if not sure how to do it yourself.
    • PotentProducts.com - for all your Hosting needs
    • Helping people Host, Create and Maintain their Web Site
    • ServerAdmin Services also available

  5. #5
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Quote Originally Posted by Website Rob

    # ps aux|grep nobody << should only show 'httpd' anything else is bad
    That's actually not true and depends on what control panel you're using. nobody also runs entropychat and melange on Cpanel. If you have other daemons going it can run under it as well.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  6. #6
    Join Date
    Jun 2001
    Posts
    369
    Thanks guys - I will try to put to good use. I am also installing Ramprag'es security tool and thanks for making it available.

  7. #7

    canīt see the profile

    Steven can u enter in contact with me BY PM please

    ii canīt see your profile and neither send PM (you are to secretecy)



    thanks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •