Solved

Scan for malicious code on server

Posted on 2004-08-31
14
305 Views
Last Modified: 2010-04-22
Hi ,one of the users on our server is sending spam from our server thru php or cgi script.
Because in our log it only shows that apache has sent an email.

How can I find out which user is sending it or is there some programs or scripts that will allow me to scan for malicious mail sending scirpts?

Thanks
0
Comment
Question by:basara55
  • 3
  • 2
  • 2
  • +3
14 Comments
 
LVL 5

Expert Comment

by:webtrans
Comment Utility
first u have to find out which script is sending the email
then check the log for which ip is requesting this folder
?
0
 

Author Comment

by:basara55
Comment Utility
Well yes thats the problem I am having , How can I find out there is trizillion scripts and users on the server.
0
 
LVL 5

Expert Comment

by:webtrans
Comment Utility
what server side scripting language are avilable on the server?
0
 

Author Comment

by:basara55
Comment Utility
php , jsp , cgi (perl)
0
 
LVL 5

Accepted Solution

by:
webtrans earned 168 total points
Comment Utility
use this to analyse ur apache log file
it will give u a clue
http://awstats.sourceforge.net/
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 17

Expert Comment

by:owensleftfoot
Comment Utility
The apache logfile in /var/log will show you which user accessed what by their ip addresses.
0
 
LVL 9

Assisted Solution

by:_GeG_
_GeG_ earned 166 total points
Comment Utility
get a spam mail with headers. Now check for the sending date and time. Next check the apache log for all php/cgi/jsp request a little before this time. Then check which of those scripts can send mail. Last find the IP for this request and if it is (hopefully) a static IP send it a virus :(
My guess: look in apache logs for formmail ;)
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 166 total points
Comment Utility
find /path/to/files -type f -exec egrep -i 'smtp|telnet|mail|socket' {} \; -print
0
 
LVL 9

Expert Comment

by:_GeG_
Comment Utility
> This question has been classified as abandoned because there are no comments in the last 21 days.
lol, last post from May 2004

BTW I think my answer provided a usable solution....

0
 
LVL 20

Expert Comment

by:Venabili
Comment Utility
>>lol, last post from May 2004
Well... it is at least 2004 :)) Not older :)
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> BTW I think my answer provided a usable solution....
so I do ...
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now