Wesbytes Knowledge Base

Search our articles or browse by category below

Server hack and exim spamming

Last modified: July 2, 2022
You are here:
Estimated reading time: 2 min

Server hack and exim spamming

In this article, we will guide you in checking the issues of server hack and exim spamming. This will probably help you to find out the IP which tried the malpractices in a server to get compromised.

First, we can try to find the IP which I need to monitor

1. This netstat script will list out the number of connections made by an IP

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

2. Now you got the IP then you check it out in

a. /var/log/messages

b. /var/log/secure

cat /var/log/messages | grep ip | awk ‘{print$5}’ | cut -d: -f1 | uniq -c |sort -n

grep “unauthorised attempt” /var/log/messages | awk ‘{print$5}’ |cut -d: -f1 | uniq -c | sort -n

grep “unauthorised attempt” /var/log/secure | awk ‘{print$5}’ |cut -d: -f1 | uniq -c | sort -n

Note :-Check Server hack and exim spamming, In {print$5} value may change it can become 7, 8, 11, 12 etc …. eg:- {print$7}

EXIM COMMANDS

To view the mail queue:

exim -bp

Number of mail in the queue:

exim -bpc

To open a mail:

exim -Mvh

The number of emails in the queue:

exim -Mvh

How many Frozen mails on the queue:

/usr/sbin/exim -bpr | grep frozen | wc

Deleting Frozen Messages:

/usr/sbin/exim -bpr | grep frozen | awk {‘print $3′} | xargs exim -Mrm

To know the number of frozen mails in the mail queue, you can use the following command

exim -bpr | grep frozen | wc -l

In order to remove all frozen emails from the Exim mail queue, use the following command

exim -bpr | grep frozen | awk {‘print $3′} | xargs exim -Mrmrm

You can also use the command given below to delete all frozen mails

exiqgrep -z -i | xargs exim -Mrm

To flush the exim queue

exim -qff

Base64 injection scripts

We can use this script to find out the PHP script

grep “authentication failure” /var/log/secure | awk ‘{ print $3}’ | cut -b7- | sort | uniq -c

find /var/www/vhosts/ -name “*.php” | xargs -I{} sed -i ‘/<?php eval(gzinflate(base64_decode(/d’ {};

How to Find the Spammer Spamming from home directory

We can use a script to find the most popular scripts on your server that send out the email. The spammer might utilise his personal directory for spamming. Then you can review your Apache access logs to see how a spammer might be utilising your scripts to send spam and search the Exim mail log for those scripts to see if it seems like spam.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sortrt -n

To find suspicious IP activities

————————————————————————

This will list the entries for the IP Address in question ( replace ip.add.re.ss with the suspicious IP address )

find /var/log/ -exec grep “ip.add.re.ss” ‘{}’ ; -print

This script will provide you top 10 IP addresses that hit your apache access log

———————————————————————————————————–

cat /var/log/httpd/access_log |awk ‘{print $1}’|cut -d? -f1|sort -n|uniq -c|sort -n|tail -10

This script will list the ten most accessed files on your site

——————————————————————————

This script will Sort files and display the number of times that file was accessed

cat /var/log/httpd/access_log |awk ‘{print $7}’|cut -d? -f1|sort -n|uniq -c|sort -n| tail -10

Was this article helpful?
Dislike 0
Views: 4