Scan for malicious code on server

Hi ,one of the users on our server is sending spam from our server thru php or cgi script.
Because in our log it only shows that apache has sent an email.

How can I find out which user is sending it or is there some programs or scripts that will allow me to scan for malicious mail sending scirpts?

Thanks
basara55Asked:
Who is Participating?
 
webtransCommented:
use this to analyse ur apache log file
it will give u a clue
http://awstats.sourceforge.net/
0
 
webtransCommented:
first u have to find out which script is sending the email
then check the log for which ip is requesting this folder
?
0
 
basara55Author Commented:
Well yes thats the problem I am having , How can I find out there is trizillion scripts and users on the server.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
webtransCommented:
what server side scripting language are avilable on the server?
0
 
basara55Author Commented:
php , jsp , cgi (perl)
0
 
owensleftfootCommented:
The apache logfile in /var/log will show you which user accessed what by their ip addresses.
0
 
_GeG_Commented:
get a spam mail with headers. Now check for the sending date and time. Next check the apache log for all php/cgi/jsp request a little before this time. Then check which of those scripts can send mail. Last find the IP for this request and if it is (hopefully) a static IP send it a virus :(
My guess: look in apache logs for formmail ;)
0
 
ahoffmannCommented:
find /path/to/files -type f -exec egrep -i 'smtp|telnet|mail|socket' {} \; -print
0
 
_GeG_Commented:
> This question has been classified as abandoned because there are no comments in the last 21 days.
lol, last post from May 2004

BTW I think my answer provided a usable solution....

0
 
VenabiliCommented:
>>lol, last post from May 2004
Well... it is at least 2004 :)) Not older :)
0
 
ahoffmannCommented:
> BTW I think my answer provided a usable solution....
so I do ...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.