Skip to main content

SPAMMING 2

Now we can run the following command to see what scripts are located in that directory:
ls -lahtr /userna5/public_html/data
drwxr-xr-x 17 userna5 userna5 4.0K Jan 20 10:25 ../
-rw-r--r-- 1 userna5 userna5 5.6K Jan 20 11:27 mailer.php
drwxr-xr-x 2 userna5 userna5 4.0K Jan 20 11:27 ./
grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n
Deny those IP
========================================================================


Locate email accounts being used to spam



grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq | awk '{print $1}' | uniq -c | awk '{ if ($1 > 1) print $0}'


grep "A=courier_login" /var/log/exim_mainlog | sed -e 's#H=.* \[##' -e 's#\]:[0-9]*##' | awk '{print $5,$6}' | sort | uniq -c


You can switch the mail server using /scripts/setupmailserver or in case if it is dovecot you need to replace the above lines using the same,

Spamming

---------------

eximstats is a useful command to find spamming in the server.

/usr/sbin/eximstats -t5 /var/log/exim_mainlog > teststats

(t5 is an option which shows the top 5 count)

The above command gives the following details:

* Top 5 local destinations by volume

* Top 5 local destinations by message count

* Top 5 sending hosts by volume

* Top 5 sending hosts by message count

and other stats such as total number of mails received and

delivered...top 5 sender (username) etc...
Ways to find spam:

===========

1)Issue this command: ps -C exim -fH ewww |grep home, it shows the mails
going from the server.

It shows from which user's home the mail is going, so that you can easily
trace it and block it if needed.

2)Issue this command: eximstats -ne -nr /var/log/exim_mainlog.

It shows top 50 domains using mail server with options.

3)Issue this command: exim -bp | exiqsumm.

It shows the main domains receiving and sending mails on the server.

4)Issue this command:netstat -plan|grep :25|awk {'print $5'}|cut -d: -f
1|sort|uniq -c|sort -nk 1.

It shows the IPs which are connected to server through port number 25. It
one particular Ip is using more than 10 connection you can block it in the
server firewall.

5)In order to find "nobody" spamming, issue the following command

ps -C exim -fH ewww|awk '{for(i=1;i<=40;i++){print $i}}'|sort|uniq -c|grep
PWD|sort -n

It will give some result like:

Example :

6 PWD=/

347 PWD=/home/sample/public_html/test

Count the PWD and if it is a large value check the files in the directory
listed in PWD

(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress.
If the spamming has happened some hours before, use the following command.

Command :

grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print
$i}}'|sort|uniq -c|grep cwd|sort -n

This will result in something like :

47 cwd=/root

8393 cwd=/home/sample/public_html/test

Count the cwd and if it is a large value check the files in the directory
listed in cwd

(Ignore if it is / or /var/spool/mail /var/spool/exim)

--------------------------------------------------------

Precautions:

1)Turn on the SMTP tweak. It will block the users to bypass the mail
server for sending out spam.

2)Turn on blacklisting ability in whm.

3)Use spamassassin to stop receiving spam mails.

--------------------------------------------------------

Pass the below mentioned command at your command prompt to find the domain
which is being used by spammers.

# exim -bpr | exiqsumm -c | head

Then,

#exiqgrep -ir <domain> | xargs -n1 exim -Mrm

That should remove any e-mail that is in the queue that is waiting to be
delivered to POP accounts at <domain>.



====================================
egrep -o 'dovecot_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1

egrep -o 'dovecot_plain[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1


egrep -o 'courier_login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort
-nk 1

check for  /var/log/exim_mainlog.1 , 2 , 3 , 4 for the above commmand

grep cwd /var/log/exim_mainlog | grep -v exim | awk '{print $4}' |
sort|uniq -c|sort -nk 1

Comments

Post a Comment

Popular posts from this blog

RAID

Check the Raid installed lspci | grep RAID     Software Raid ============== Linux Support For Software RAID Currently, Linux supports the following RAID levels (quoting from the man page): LINEAR RAID0 (striping) RAID1 (mirroring) RAID4 RAID5 RAID6 RAID10 MULTIPATH, and FAULTY. MULTIPATH is not a Software RAID mechanism, but does involve multiple devices: each device is a path to one common physical storage device. FAULTY is also not true RAID, and it only involves one device. It provides a layer over a true device that can be used to inject faults. Install mdadm Type the following command under RHEL / CentOS / Fedora Linux: # yum install mdadm Type the following command under Debian / Ubuntu Linux: # apt-get update && apt-get install mdadm How Do I Create RAID1 Using mdadm? Type the following command to create RAID1 using /dev/sdc1 and /dev/sdd1 (20GB size each). First run fdisk on /dev/sdc and /dev/sdd with " Software R
Post a Comment
Read more

How to tweak linux server harddisk using hdparm

hdparm switches explained http://manpages.ubuntu.com/manpages/intrepid/man8/hdparm.8.html   First of all you have to install hdparm in linux. apt-get install hdparm #hdparm /dev/sda /dev/sda: readonly = 0 (off) readahead = 120 (on) geometry = 8850/255/63, sectors = 142182912, start = 0 Hard disk Performance Information # hdparm -tT /dev/hda /dev/hdd: Timing cached reads: 496 MB in 2.00 seconds = 247.42 MB/sec Timing buffered disk reads: 60 MB in 3.03 seconds = 19.81 MB/sec Hard drive set to low, slow settings # hdparm -cuda /dev/hda /dev/hda: IO_support = 0 (default 16-bit) unmaskirq = 0 (off) using_dma = 0 (off) readahead = 256 (on) Use below tweaks to increase disk read write performance. For sda drive ~]# hdparm -a 2048 /dev/sda /dev/sda: setting fs readahead to 2048 readahead = 2048 (on) For sdb drive [root@439298a ~]# hdparm -a 2048 /dev/sdb /dev/sdb: setting fs readahead to 2048 readahead = 2048 (on) ]# echo “anticipatory” > /sy
Post a Comment
Read more

Modsecurity block rule for XMLRPC and wp-login attack

SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000134  <Locationmatch "/wp-login.php">  SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000135,msg:'ip address blocked for 5 minutes, more than 10 login attempts in 3 minutes.'"  SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:5000136"  SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:5000137"  SecRule ip:bf_counter "@gt 10" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"  </Locationmatch>  SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:5000234  <Locationmatch "/xmlrpc.php">  SecRule user:bf_block "@gt 0" "deny,status:401,log,id:5000235,msg:'ip address blocked for 5 m
Post a Comment
Read more