Linux
如何查找我伺服器上的哪個腳本正在發送垃圾郵件?
我的伺服器正在發送垃圾郵件,但我無法找出發送它們的腳本。
這些電子郵件都是來自
nobody@myhost
cpanel 禁用的,nobody
不應被允許發送電子郵件現在至少他們不會出去,我一直在接受他們。這是我收到的郵件:
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: eckert@clearfieldjeffersonredcross.org Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings ------ This is a copy of the message, including all the headers. ------ Return-path: <nobody@cpanel.myserver.com> Received: from nobody by cpanel.myserver.com with local (Exim 4.80) (envelope-from <nobody@cpanel.myserver.com>) id 1UBBap-0007EM-9r for eckert@clearfieldjeffersonredcross.org; Fri, 01 Mar 2013 08:34:47 +1030 To: eckert@clearfieldjeffersonredcross.org Subject: Order Detail From: "Manager Ethan Finch" <support@raleight.us> X-Mailer: Fscfz(ver.2.75) Reply-To: "Manager Ethan Finch" <support@raleight.us> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="----------1362089087512FD47F4767C" Message-Id: <E1UBBap-0007EM-9r@cpanel.server.com> Date: Fri, 01 Mar 2013 08:34:47 +1030 ------------1362089087512FD47F4767C Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit
這是我的 exim 日誌:
2013-03-01 14:36:00 no IP address found for host gw1.corpgw.com (during SMTP connection from [203.197.151.138]:54411) 2013-03-01 14:36:59 H=() [203.197.151.138]:54411 rejected MAIL gpgjouczsr@gmail.com: HELO required before MAIL 2013-03-01 14:37:28 H=(helo) [203.197.151.138]:54411 rejected MAIL admin@gmail.com: Access denied - Invalid HELO name (See RFC2821 4.1.1.1) 2013-03-01 14:37:28 SMTP connection from (helo) [203.197.151.138]:54411 closed by DROP in ACL 2013-03-01 14:37:29 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q 2013-03-01 14:37:29 Start queue run: pid=12155 2013-03-01 14:37:29 1UBBap-0007EM-9r ** eckert@clearfieldjeffersonredcross.org R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings 2013-03-01 14:37:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1UBBap-0007EM-9r 2013-03-01 14:37:30 1UBHFp-0003A7-W3 <= <> R=1UBBap-0007EM-9r U=mailnull P=local S=7826 T="Mail delivery failed: returning message to sender" for nobody@cpanel.server.com 2013-03-01 14:37:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHFp-0003A7-W3 2013-03-01 14:37:30 1UBBap-0007EM-9r Completed 2013-03-01 14:37:32 1UBHFp-0003A7-W3 aspmx.l.google.com [2607:f8b0:400e:c00::1b] Network is unreachable 2013-03-01 14:37:38 1UBHFp-0003A7-W3 => johnmyk@server.com <nobody@cpanel.server.com> R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.26] X=TLSv1:RC4-SHA:128 2013-03-01 14:37:39 1UBHFp-0003A7-W3 Completed 2013-03-01 14:37:39 End queue run: pid=12155 2013-03-01 14:38:20 SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1) 2013-03-01 14:38:21 SMTP connection from localhost [127.0.0.1]:36667 closed by QUIT 2013-03-01 14:42:45 cwd=/ 2 args: /usr/sbin/sendmail -t 2013-03-01 14:42:45 1UBHKv-0003BH-LD <= root@cpanel.server.com U=root P=local S=1156 T="[cpanel.server.com] Root Login from IP 122.181.3.130" for johnmyk@server.com 2013-03-01 14:42:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHKv-0003BH-LD 2013-03-01 14:42:47 1UBHKv-0003BH-LD aspmx.l.google.com [2607:f8b0:400e:c00::1a] Network is unreachable 2013-03-01 14:42:51 1UBHKv-0003BH-LD => johnmyk@server.com R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.27] X=TLSv1:RC4-SHA:128 2013-03-01 14:42:51 1UBHKv-0003BH-LD Completed 2013-03-01 14:43:22 SMTP connection from [127.0.0.1]:37499 (TCP/IP connection count = 1) 2013-03-01 14:43:23 SMTP connection from localhost [127.0.0.1]:37499 closed by QUIT
有什麼方法可以找到哪個腳本或哪個使用者正在生成這些腳本?
Linux Malware Detect ( http://www.rfxn.com/projects/linux-malware-detect/ ) 安裝非常簡單:)。通過此連結,下載http://www.rfxn.com/downloads/maldetect-current.tar.gz。該文件的連結位於網頁的最頂部。然後解壓縮此存檔,通過在終端中執行 cd 進入新創建的目錄。在目錄中執行
須藤 ./install.sh
這會將掃描器安裝到您的系統中。要執行掃描本身,您將執行
sudo /usr/local/sbin/maldet -a/
這裡的 -a 選項意味著您要 ro 掃描所有文件。改用 -r 僅掃描最近的。/ 指定應該執行掃描的目錄。因此,只需將其更改為您想要的任何目錄。
只是 )