Check Server hack and exim spamming

I am hereby providing some commands to have a basic checking on a server hack issue. 

This will probably help you to find out the IP which tried the mal practices in a server to get compromised.

First, we can try to find the IP which i need to monitor

1. This netstat script will list out the number of connections made by an IP

 

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

 

2. Now you got the IP then you check it out in

a. /var/log/messages

b. /var/log/secure

 

cat /var/log/messages | grep ip | awk ‘{print$5}’ | cut -d: -f1 | uniq -c |sort -n

grep “unauthorised attempt” /var/log/messages | awk ‘{print$5}’ |cut -d: -f1 | uniq -c | sort -n

grep “unauthorised attempt” /var/log/secure | awk ‘{print$5}’ |cut -d: -f1 | uniq -c | sort -n

 

Note :- In {print$5} value may change it can become 7, 8, 11, 12 etc …. eg:- {print$7}


EXIM COMMANDS


To view the mail queue:

 exim -bp

 
Number of mail in queue: 

 exim -bpc

 
To open a mail:

exim -Mvh <message id>

Number of emails in the queue:

/usr/sbin/exim -bpr | grep “<” | wc -l

How many Frozen mails on the queue:

/usr/sbin/exim -bpr | grep frozen | wc -l

Deleteing Frozen Messages:

/usr/sbin/exim -bpr | grep frozen | awk {‘print $3′} | xargs exim -Mrm

To know the number of frozen mails in the mail queue, you can use the following command

exim -bpr | grep frozen | wc -l

In order to remove all frozen mails from the Exim mail queue, use the following command

exim -bpr | grep frozen | awk {‘print $3′} | xargs exim -Mrm

You can also use the command given below to delete all frozen mails

exiqgrep -z -i | xargs exim -Mrm

To flush the exim queue

exim -qff

Base64 injection scripts

We can use this script to find out php script

grep “authentication failure” /var/log/secure | awk ‘{ print $3}’ | cut -b7- | sort | uniq -c

find /var/www/vhosts/ -name “*.php” | xargs -I{} sed -i ‘/<?php eval(gzinflate(base64_decode(/d’ {};


How to Find the spammer spamming from home directory

———————————————————————

Spammer may use his home directory for spamming we can use a script to locate the top scripts on your server that send out email. Then you can search the Exim mail log for those scripts to determine if it looks like spam, and even check your Apache access logs in order to find how a spammer might be using your scripts to send out spam.

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F”cwd=” ‘{print $2}’ | awk ‘{print $1}’ | sort | uniq -c | sort -n


To find suspecious IP activities

—————————————–

 This will list the entries for the IP Address in question ( replace ip.add.re.ss with the suspecious ip address )

 find /var/log/ -exec grep “ip.add.re.ss” ‘{}’ \; -print

This script will provide you top 10 IP addresses that hit your apache access log

———————————————————————————————————–

 

cat /var/log/httpd/access_log |awk ‘{print $1}’|cut -d? -f1|sort -n|uniq -c|sort -n|tail -10

This script will list the ten most accessed files on your site

——————————————————————————

 This script will Sort files and display the number of times that file was accessed

 cat /var/log/httpd/access_log |awk ‘{print $7}’|cut -d? -f1|sort -n|uniq -c|sort -n| tail -10

  • 33 Users Found This Useful
Was this answer helpful?

Related Articles

How To Install and Use Docker on Ubuntu 16.04

Introduction Docker is an application that makes it simple and easy to run application processes...

Adding Server Credentials from Client Area

The exchange of passwords in plain text format is not at all a safer way nowadays.  In case if we...

Backup and Restore cPanel Accounts via SSH

a. How to create a backup of a cPanel Account via SSH?   1. Log-in to the SSH as the Root user....

Change Main IP of the server :: Vesta Panel

If we are changing the main IP of a server installed with Vesta panel, we can use the following...

cPanel: Apache-FastCGI Data Timeout Error

If you are using a cPanel server and have FastCGI enabled in Apache, you might be facing the...