use*_*380 12 linux centos exim
我的服务器正在发送垃圾邮件,但我无法找出发送它们的脚本。
电子邮件全部来自nobody@myhostcpanel,nobody因此不应被允许发送电子邮件
现在至少他们没有出去,我一直在接待他们。这是我收到的邮件:
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
eckert@clearfieldjeffersonredcross.org
Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
------ This is a copy of the message, including all the headers. ------
Return-path: <nobody@cpanel.myserver.com>
Received: from nobody by cpanel.myserver.com with local (Exim 4.80)
(envelope-from <nobody@cpanel.myserver.com>)
id 1UBBap-0007EM-9r
for eckert@clearfieldjeffersonredcross.org; Fri, 01 Mar 2013 08:34:47 +1030
To: eckert@clearfieldjeffersonredcross.org
Subject: Order Detail
From: "Manager Ethan Finch" <support@raleight.us>
X-Mailer: Fscfz(ver.2.75)
Reply-To: "Manager Ethan Finch" <support@raleight.us>
Mime-Version: 1.0
Content-Type: multipart/alternative;boundary="----------1362089087512FD47F4767C"
Message-Id: <E1UBBap-0007EM-9r@cpanel.server.com>
Date: Fri, 01 Mar 2013 08:34:47 +1030
------------1362089087512FD47F4767C
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
这是我的进出口日志日志:
2013-03-01 14:36:00 no IP address found for host gw1.corpgw.com (during SMTP connection from [203.197.151.138]:54411)
2013-03-01 14:36:59 H=() [203.197.151.138]:54411 rejected MAIL gpgjouczsr@gmail.com: HELO required before MAIL
2013-03-01 14:37:28 H=(helo) [203.197.151.138]:54411 rejected MAIL admin@gmail.com: Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
2013-03-01 14:37:28 SMTP connection from (helo) [203.197.151.138]:54411 closed by DROP in ACL
2013-03-01 14:37:29 cwd=/var/spool/exim 2 args: /usr/sbin/exim -q
2013-03-01 14:37:29 Start queue run: pid=12155
2013-03-01 14:37:29 1UBBap-0007EM-9r ** eckert@clearfieldjeffersonredcross.org R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-03-01 14:37:29 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1UBBap-0007EM-9r
2013-03-01 14:37:30 1UBHFp-0003A7-W3 <= <> R=1UBBap-0007EM-9r U=mailnull P=local S=7826 T="Mail delivery failed: returning message to sender" for nobody@cpanel.server.com
2013-03-01 14:37:30 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHFp-0003A7-W3
2013-03-01 14:37:30 1UBBap-0007EM-9r Completed
2013-03-01 14:37:32 1UBHFp-0003A7-W3 aspmx.l.google.com [2607:f8b0:400e:c00::1b] Network is unreachable
2013-03-01 14:37:38 1UBHFp-0003A7-W3 => johnmyk@server.com <nobody@cpanel.server.com> R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.26] X=TLSv1:RC4-SHA:128
2013-03-01 14:37:39 1UBHFp-0003A7-W3 Completed
2013-03-01 14:37:39 End queue run: pid=12155
2013-03-01 14:38:20 SMTP connection from [127.0.0.1]:36667 (TCP/IP connection count = 1)
2013-03-01 14:38:21 SMTP connection from localhost [127.0.0.1]:36667 closed by QUIT
2013-03-01 14:42:45 cwd=/ 2 args: /usr/sbin/sendmail -t
2013-03-01 14:42:45 1UBHKv-0003BH-LD <= root@cpanel.server.com U=root P=local S=1156 T="[cpanel.server.com] Root Login from IP 122.181.3.130" for johnmyk@server.com
2013-03-01 14:42:45 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1UBHKv-0003BH-LD
2013-03-01 14:42:47 1UBHKv-0003BH-LD aspmx.l.google.com [2607:f8b0:400e:c00::1a] Network is unreachable
2013-03-01 14:42:51 1UBHKv-0003BH-LD => johnmyk@server.com R=lookuphost T=remote_smtp H=aspmx.l.google.com [74.125.25.27] X=TLSv1:RC4-SHA:128
2013-03-01 14:42:51 1UBHKv-0003BH-LD Completed
2013-03-01 14:43:22 SMTP connection from [127.0.0.1]:37499 (TCP/IP connection count = 1)
2013-03-01 14:43:23 SMTP connection from localhost [127.0.0.1]:37499 closed by QUIT
有什么方法可以找到哪个脚本或哪个用户正在生成这些脚本?
Mer*_*uck 22
Linux 恶意软件检测 ( http://www.rfxn.com/projects/linux-malware-detect/ ) 安装非常简单:)。通过此链接,下载http://www.rfxn.com/downloads/maldetect-current.tar.gz。此文件的链接位于网页的最顶部。然后解压缩这个档案,通过在终端中运行 cd 转到新创建的目录。在目录中运行
须藤./install.sh
这会将扫描仪安装到您的系统。要执行扫描本身,您将运行
须藤/usr/local/sbin/maldet -a /
-a 选项在这里意味着您要 ro 扫描所有文件。改用 -r 只扫描最近的。/ 指定应该执行扫描的目录。所以只需将其更改为您想要的任何目录。
只是 )
这些电子邮件都来自
nobody@myhost
查找所有正在运行的进程nobody:
ps -U nobody
来自 [127.0.0.1]:36667 的 SMTP 连接(TCP/IP 连接数 = 1)
运行netstat下watch查看哪个进程连接到端口 25:
watch 'netstat -na | grep :25'
这些步骤可以帮助您找出罪魁祸首是... Web 服务器。然后您可以运行 astrace以查看发送电子邮件时调用的脚本:
strace -f -e trace=open,stat -p 1234 -o wserver.strace
(1234 是 Web 服务器进程的父 PID)