{"id":23181,"date":"2020-12-09T09:55:20","date_gmt":"2020-12-09T01:55:20","guid":{"rendered":"https:\/\/web.mwwsb.com.my\/pjci\/?post_type=kb&p=23181"},"modified":"2023-01-18T11:52:14","modified_gmt":"2023-01-18T03:52:14","slug":"check-server-hack-and-exim-spamming-3","status":"publish","type":"kb","link":"https:\/\/www.casbay.com\/guide\/kb\/check-server-hack-and-exim-spamming-3","title":{"rendered":"Server hack and exim spamming"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t

Server hack and exim spamming<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

In this article, we will guide you in checking the issues of server hack and exim spamming. This will probably help you to find out the IP which tried the malpractices in a server to get compromised.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

First, we can try to find the IP which I need to monitor<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

1. This netstat script will list out the number of connections made by an IP<\/p>

netstat -ntu | awk \u2018{print $5}\u2019 | cut -d: -f1 | sort | uniq -c | sort -n<\/strong><\/p>

2. Now you got the IP then you check it out in<\/p>

a. \/var\/log\/messages<\/strong><\/p>

b. \/var\/log\/secure<\/strong><\/p>

cat \/var\/log\/messages | grep ip | awk \u2018{print$5}\u2019 | cut -d: -f1 | uniq -c |sort -n<\/strong><\/p>

grep \u201cunauthorised attempt\u201d \/var\/log\/messages | awk \u2018{print$5}\u2019 |cut -d: -f1 | uniq -c | sort -n<\/strong><\/p>

grep \u201cunauthorised attempt\u201d \/var\/log\/secure | awk \u2018{print$5}\u2019 |cut -d: -f1 | uniq -c | sort -n<\/strong><\/p>

Note :-Check Server hack and exim spamming, In {print$5} value may change it can become 7, 8, 11, 12 etc \u2026. eg:- {print$7}<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

EXIM COMMANDS<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

To view the mail queue:<\/p>

exim -bp<\/strong><\/p>

Number of mail in the queue:<\/p>

exim -bpc<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

To open a mail:<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

exim -Mvh
<\/strong><\/p>

The number of emails in the queue:<\/p>

exim -Mvh<\/strong><\/p>

How many Frozen mails on the queue:<\/p>

\/usr\/sbin\/exim -bpr | grep frozen | wc<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

Deleting Frozen Messages:<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

\/usr\/sbin\/exim -bpr | grep frozen | awk {\u2018print $3\u2032} | xargs exim -Mrm<\/strong><\/p>

To know the number of frozen mails in the mail queue, you can use the following command<\/p>

exim -bpr | grep frozen | wc -l<\/strong><\/p>

In order to remove all frozen emails from the Exim mail queue, use the following command<\/p>

exim -bpr | grep frozen | awk {\u2018print $3\u2032} | xargs exim -Mrm<\/strong>rm<\/strong><\/p>

You can also use the command given below to delete all frozen mails<\/p>

exiqgrep -z -i | xargs exim -Mrm<\/strong><\/p>

To flush the exim queue<\/p>

exim -qff<\/strong><\/p>

Base64 injection scripts<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

We can use this script to find out the PHP script<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

grep \u201cauthentication failure\u201d \/var\/log\/secure | awk \u2018{ print $3}\u2019 | cut -b7- | sort | uniq -c<\/strong><\/p>

find \/var\/www\/vhosts\/ -name \u201c*.php\u201d | xargs -I{} sed -i \u2018\/<?php eval(gzinflate(base64_decode(\/d\u2019 {};<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

How to Find the spammer spamming from home directory<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>

The spammer may use his home directory for spamming we can use a script to locate the top scripts on your server that send out the email. Then you can search the Exim mail log for those scripts to determine if it looks like spam, and even check your Apache access logs in order to find how a spammer might be using your scripts to send out spam.<\/p>

grep cwd \/var\/log\/exim_mainlog | grep -v \/var\/spool | awk -F\u201dcwd=\u201d \u2018{print $2}\u2019 | awk \u2018{print $1}\u2019 | sort | uniq -c | sort<\/strong>rt -n<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t

To find suspicious IP activities<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>

This will list the entries for the IP Address in question ( replace ip.add.re.ss with the suspicious IP address )<\/p>

find \/var\/log\/ -exec grep \u201cip.add.re.ss\u201d \u2018{}\u2019 ; -print<\/strong><\/p>

This script will provide you top 10 IP addresses that hit your apache access log<\/p>

\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013<\/p>

cat \/var\/log\/httpd\/access_log |awk \u2018{print $1}\u2019|cut -d? -f1|sort -n|uniq -c|sort -n|tail -10<\/strong><\/p>

This script will list the ten most accessed files on your site<\/p>

\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014<\/p>

This script will Sort files and display the number of times that file was accessed<\/p>

cat \/var\/log\/httpd\/access_log |awk \u2018{print $7}\u2019|cut -d? -f1|sort -n|uniq -c|sort -n| tail -10<\/strong><\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t

Visit our Knowledge Base<\/a> page to find out more articles on the topic- Security.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Server hack and exim spamming In this article, we will guide you in checking the issues of server hack and exim spamming. This will probably help you to find out the IP which tried the malpractices in a server to get compromised. First, we can try to find the IP which I need to monitor […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"no-sidebar","site-content-layout":"page-builder","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"disabled","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}}},"kbtopic":[113],"kbtag":[106],"mkb_version":[],"_links":{"self":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb\/23181"}],"collection":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/comments?post=23181"}],"version-history":[{"count":4,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb\/23181\/revisions"}],"predecessor-version":[{"id":38218,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kb\/23181\/revisions\/38218"}],"wp:attachment":[{"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/media?parent=23181"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=23181"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/kbtag?post=23181"},{"taxonomy":"mkb_version","embeddable":true,"href":"https:\/\/www.casbay.com\/guide\/wp-json\/wp\/v2\/mkb_version?post=23181"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}