尝试查找服务器上发送垃圾邮件的进程

尝试查找服务器上发送垃圾邮件的进程

我有一台运行 Exim 的 CentOS 服务器,其中安装了标准 LAMP 堆栈。问题是有一个进程正在发送未经请求的电子邮件,而我不知道如何找到该进程。以下是我所做的:

  1. 我做了一些操作tail /var/log/exim_mainlog来查看发生了什么。以下是一些输出:

    2016-02-14 01:42:00 SMTP connection from (jabosupply.dcr103.com) [255.255.255.255]:33165 closed by QUIT
    2016-02-14 01:42:00 1aUlhH-0006fx-UO => cpm147 <[email protected]> R=localuser T=local_delivery
    2016-02-14 01:42:00 1aUlhH-0006fx-UO Completed
    2016-02-14 01:42:03 1aUlhL-0006gS-RD <= [email protected] H=(site2.com) [255.255.255.255]:54467 P=esmtp S=25154 [email protected]$
    2016-02-14 01:42:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhL-0006gS-RD
    2016-02-14 01:42:04 1aUlhL-0006gS-RD => cpm147 <[email protected]> R=localuser T=local_delivery
    2016-02-14 01:42:04 1aUlhL-0006gS-RD Completed
    2016-02-14 01:42:04 SMTP connection from (site2.com) [255.255.255.255]:54467 closed by QUIT
    2016-02-14 01:42:05 SMTP connection from [255.255.255.255]:40445 (TCP/IP connection count = 5)
    2016-02-14 01:42:05 no host name found for IP address 255.255.255.255
    2016-02-14 01:42:11 SMTP connection from [255.255.255.255]:58622 (TCP/IP connection count = 6)
    2016-02-14 01:42:12 1aUlhU-0006hP-C9 <= [email protected] H=(site3.com) [255.255.255.255]:48668 P=esmtp S=37419 [email protected]$
    2016-02-14 01:42:12 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhU-0006hP-C9
    2016-02-14 01:42:12 SMTP connection from (site3.com) [255.255.255.255]:48668 closed by QUIT
    2016-02-14 01:42:12 1aUlhU-0006hP-C9 => cpm147 <[email protected]> R=localuser T=local_delivery
    2016-02-14 01:42:12 1aUlhU-0006hP-C9 Completed
    2016-02-14 01:42:17 SMTP connection from [255.255.255.255]:40445 lost
    2016-02-14 01:42:17 1aUSE4-0000ZZ-Tp == [email protected] R=dkim_lookuphost defer (-1): host lookup did not complete
    2016-02-14 01:42:17 1aUj64-0004bS-6P Message is frozen
    2016-02-14 01:42:17 1aULQ4-0002bv-Bs Unfrozen by errmsg timer
    2016-02-14 01:42:18 1aULQ4-0002bv-Bs ** alisa_mckinney@site4 R=dkim_lookuphost T=dkim_remote_smtp H=smtp.secureserver.net [255.255.255.255]: SMTP error from remote mail server $
    2016-02-14 01:42:18 1aULQ4-0002bv-Bs alisa_mckinney@site4: error ignored
    2016-02-14 01:42:18 1aULQ4-0002bv-Bs Completed
    
  2. 尝试通过 WHM 关闭服务器的邮件 - 虽然成功了,但不是永久的解决方案!

  3. 完成top查看 exim 进程。其中有 0 到 1 到 7 个进程,用户为 或rootmailnull因此无法识别托管用户帐户。

我认为肯定有某个地方的 PERL 脚本或 PHP 脚本正在运行此脚本。我需要识别它。有人能帮我找到正在运行的脚本的物理来源吗?

PS 我的服务器使用率不高,而且没有一个网站有邮件脚本。我想这肯定是被注入了,所以我也在更改密码。但我的首要任务是找到它。

答案1

如果我没记错的话,cpanel 用户必须执行身份验证才能发送邮件。因此您应该在电子邮件标题中看到“auth_id”字段。我编写了一个小脚本,用于检查 exim 的传出队列,查找队列中拥有超过 50 封邮件的 ID 并删除它们。希望它对您有用。

#!/usr/bin/perl
#Script for deleting spam mails
use strict;
use warnings;
use Net::OpenSSH;
my $host = $ARGV[0];
my $ssh2 = Net::OpenSSH->new($host,user=>'root',timeout=>600);
my @authids =  $ssh2->capture("exiqgrep -i |xargs -I \~ /usr/sbin/exim -Mvh \~ |awk -F'[@ ]' '/auth_id/{print \$NF}' |sort |uniq -c |sort -nrk1");
foreach (@authids) {
  my @string = split();
  if($string[0] > 50) {
    my $header = "count - $string[0] , offender - $string[1]\n";
    my $summary = $ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mvh \$i |awk '/(Subject: |To:|From:)/{print}';fi;done");
    print "$summary\n";
    print "count - $string[0] , offender - $string[1]\n";
    print "Delete [y/n]";
    my $line = <STDIN>;
    chomp($line);
      if($line eq "y") {
      print "Prepairing to delete\n";
      $ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mrm \$i;fi;done") or die "remote command failed: " . $ssh2->error;
      print "Deleted\n";
      }

  } else {
  last;
}

}

相关内容