[ale] tracking down a spammer on our box
Ryan Williams
ryan at jimmyether.com
Sat Apr 2 12:50:50 EST 2005
Andrew Thornton wrote:
> I found another good trick is to look through the mail logs and find the
> time the email was sent and then compare it against your apache log files.
>
> Looking for roughly the same timestamp & the account that runs apache,
> from that you should be able to identify who they are (IP address) and
> which page is insecure.
If you mean the apache access logs, I've been doing that and I'm not
seeing any likely matches. I can see in the maillog the time each
message went out. It's pretty consistent... like ever 30 seconds 2 or 3
go out. I've tried to match those times with any apache access_logs, but
there is nothing being logged that is that consistent or even a likely
script.
FWIW, I've also used rkhunter to check and make sure there are no
rootkits on the server. We know it's not a user on the server because
we'd have more header info and be able to see the user in the maillog.
Any tips?
Ryan
More information about the Ale
mailing list