我有一台运行 Exim 的 CentOS 服务器,其中安装了标准 LAMP 堆栈。问题是有一个进程正在发送未经请求的电子邮件,而我不知道如何找到该进程。以下是我所做的:
我做了一些操作
tail /var/log/exim_mainlog来查看发生了什么。以下是一些输出:2016-02-14 01:42:00 SMTP connection from (jabosupply.dcr103.com) [255.255.255.255]:33165 closed by QUIT 2016-02-14 01:42:00 1aUlhH-0006fx-UO => cpm147 <[email protected]> R=localuser T=local_delivery 2016-02-14 01:42:00 1aUlhH-0006fx-UO Completed 2016-02-14 01:42:03 1aUlhL-0006gS-RD <= [email protected] H=(site2.com) [255.255.255.255]:54467 P=esmtp S=25154 [email protected]$ 2016-02-14 01:42:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhL-0006gS-RD 2016-02-14 01:42:04 1aUlhL-0006gS-RD => cpm147 <[email protected]> R=localuser T=local_delivery 2016-02-14 01:42:04 1aUlhL-0006gS-RD Completed 2016-02-14 01:42:04 SMTP connection from (site2.com) [255.255.255.255]:54467 closed by QUIT 2016-02-14 01:42:05 SMTP connection from [255.255.255.255]:40445 (TCP/IP connection count = 5) 2016-02-14 01:42:05 no host name found for IP address 255.255.255.255 2016-02-14 01:42:11 SMTP connection from [255.255.255.255]:58622 (TCP/IP connection count = 6) 2016-02-14 01:42:12 1aUlhU-0006hP-C9 <= [email protected] H=(site3.com) [255.255.255.255]:48668 P=esmtp S=37419 [email protected]$ 2016-02-14 01:42:12 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhU-0006hP-C9 2016-02-14 01:42:12 SMTP connection from (site3.com) [255.255.255.255]:48668 closed by QUIT 2016-02-14 01:42:12 1aUlhU-0006hP-C9 => cpm147 <[email protected]> R=localuser T=local_delivery 2016-02-14 01:42:12 1aUlhU-0006hP-C9 Completed 2016-02-14 01:42:17 SMTP connection from [255.255.255.255]:40445 lost 2016-02-14 01:42:17 1aUSE4-0000ZZ-Tp == [email protected] R=dkim_lookuphost defer (-1): host lookup did not complete 2016-02-14 01:42:17 1aUj64-0004bS-6P Message is frozen 2016-02-14 01:42:17 1aULQ4-0002bv-Bs Unfrozen by errmsg timer 2016-02-14 01:42:18 1aULQ4-0002bv-Bs ** alisa_mckinney@site4 R=dkim_lookuphost T=dkim_remote_smtp H=smtp.secureserver.net [255.255.255.255]: SMTP error from remote mail server $ 2016-02-14 01:42:18 1aULQ4-0002bv-Bs alisa_mckinney@site4: error ignored 2016-02-14 01:42:18 1aULQ4-0002bv-Bs Completed尝试通过 WHM 关闭服务器的邮件 - 虽然成功了,但不是永久的解决方案!
完成
top查看 exim 进程。其中有 0 到 1 到 7 个进程,用户为 或root。mailnull因此无法识别托管用户帐户。
我认为肯定有某个地方的 PERL 脚本或 PHP 脚本正在运行此脚本。我需要识别它。有人能帮我找到正在运行的脚本的物理来源吗?
PS 我的服务器使用率不高,而且没有一个网站有邮件脚本。我想这肯定是被注入了,所以我也在更改密码。但我的首要任务是找到它。
答案1
如果我没记错的话,cpanel 用户必须执行身份验证才能发送邮件。因此您应该在电子邮件标题中看到“auth_id”字段。我编写了一个小脚本,用于检查 exim 的传出队列,查找队列中拥有超过 50 封邮件的 ID 并删除它们。希望它对您有用。
#!/usr/bin/perl
#Script for deleting spam mails
use strict;
use warnings;
use Net::OpenSSH;
my $host = $ARGV[0];
my $ssh2 = Net::OpenSSH->new($host,user=>'root',timeout=>600);
my @authids = $ssh2->capture("exiqgrep -i |xargs -I \~ /usr/sbin/exim -Mvh \~ |awk -F'[@ ]' '/auth_id/{print \$NF}' |sort |uniq -c |sort -nrk1");
foreach (@authids) {
my @string = split();
if($string[0] > 50) {
my $header = "count - $string[0] , offender - $string[1]\n";
my $summary = $ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mvh \$i |awk '/(Subject: |To:|From:)/{print}';fi;done");
print "$summary\n";
print "count - $string[0] , offender - $string[1]\n";
print "Delete [y/n]";
my $line = <STDIN>;
chomp($line);
if($line eq "y") {
print "Prepairing to delete\n";
$ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mrm \$i;fi;done") or die "remote command failed: " . $ssh2->error;
print "Deleted\n";
}
} else {
last;
}
}