[BlueOnyx:21169] Re: Spammer

[Tigerwolf]

On Sun, 16 Jul 2017, Colin Jack wrote:

> Looking for ideas. We suspect we have a compromised website on one of 
> our servers ÿÿ being used for spam. What is the easiest way to track 
> this down? Can see spam being sent via localhost but canÿÿt pin it down.

There are some spamming scripts that do pretty well at hiding, including 
erasing themselves once a run is completed.  Those get into the system 
through compromised user account passwords.

Check ftp logs for unusual tranfers and the local account(s) they went to. 
Check user shell history for evidence of creating/running/deleting unusual 
programs.

The spambots don't generally use the system sendmail, so those logs won't 
show much for outbound.  If the spam is generating lots of remote bounces, 
the local sendmail logs may show an abnormal amount of incoming rejected 
mail to the spamming account.

Use 'iftop' and/or 'iptraf' to watch for outbound mail connections.  If 
they're spewing a lot, you should be able to tell easily.  If short 
bursts, or slow spamming, it could be harder to see.

When a run is underway, watch 'top' to see who owns the spamming 
process(es).

If you can figure out which user account is the source, change the 
password immediately, and kill all that user's processes.  This may stop 
the spambot without it being able to delete itself and provide extra 
forensic details.  Notify the user and question them about the situation, 
and wipe any suspect files not known to belong to the actual user.

-- 
=^_^=  Tigerwolf