The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Knowing who 'nobody' is

Discussion in 'General Discussion' started by trparky, Jan 17, 2006.

  1. trparky

    trparky Well-Known Member

    Joined:
    Apr 23, 2003
    Messages:
    184
    Likes Received:
    1
    Trophy Points:
    0
  2. netkinetics

    netkinetics Well-Known Member

    Joined:
    May 14, 2004
    Messages:
    62
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Home is Baltimore, MD - Currently in the Philippin
    You almost need to catch them in the act. Here's how :

    This assumes you have an ext3 root filesystem (/) and the utility lsof installed. Depending on your OS you may find this in /sbin or /usr/sbin.

    lsof digs the inode cache for recently open files (and deleted files) which help you zero in on the script kiddies uploading, spamming then deleting.

    Step 1 is going to be set your network monitor to alert you if exim shows up more than xx times in the process tree, or if your system loads rise. The other signals to watch are spamd and clamd forking on incoming bounced emails back to nobody containing the original spam as an attachment.

    Then you want to do the following (this would be centos / fc4)

    /usr/sbin/lsof | grep "/home"

    Look for something like "email.txt, emails.txt, send.php" or something else obvious thats been recently deleted. lsof will note if the file has been deleted and when its been last accessed, up to the data size in the ext3 inode cache. This can produce quite a few results, you may want to > report.txt then hit it with your browser to review it.

    If that's not turning up anything obvious, check to see if MySQL is being used by doing the same lsof command only looking for "/var/lib/mysql" .

    Generally, the user showing up the most if you are able to run this while the spam is going out is most likely your culprit. If not, with a little logic you'll be able to figure out who it is.

    I'd also check the following places :

    /dev/shm
    /tmp
    /var/tmp
    /usr/local/apache/proxy

    ... and any other world writeable directory on your server. If you do find something and nail the sob, grep the domain access logs to see the mal formed URL (if any was used) to inject code or execute code to send spam and tune your mod_sec rules accordingly.

    PHP just sometimes can't be made totally safe without irritating customers. This is just something you have to deal with unfortunately.

    To check to see if somehow your server is running a renegade service that could be triggering the spam sending, use lsof -I (internet sockets).

    My suggestion to anyone who runs any kind of public web hosting company is type 'man lsof' and 'man netstat' and really get to know what they can do. You won't break it by playing, I promise.

    hth

    Tim
     
Loading...

Share This Page