KNOWNHOST WIKI

User Tools

Site Tools


security:misc:checking-access-logs-for-abuse

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
security:misc:checking-access-logs-for-abuse [2019/06/06 17:15]
Jonathan K. W. [Wordpress Heartbeat API]
security:misc:checking-access-logs-for-abuse [2019/06/06 17:18]
Jonathan K. W. [Spam Scripts]
Line 333: Line 333:
 ==== Spam Scripts ==== ==== Spam Scripts ====
  
-We've already discussed incoming spam briefly as it pertains to DoS attacks. What about outgoing spam? CSF/LFD, which KnownHost provisions our server with by default, is excellent for notifying you of any spam-related activity. Spam scripts may be uploaded via exploit to the sites on the server, and then triggered via POST requests to send spam messages. In this case, you would look for a large number of spam emails in queue , bounce-backs from these emails, RBL listings, and/or notifications from LFD and/or cPanel. One of the most reliable methods to find the source of a spam script is to check the domlogs for those POST requests to the script. LFD relay alerts due to spam-sending scripts scripts will usually contain a hint as the location of the script responsible (typically a directory containing the script). This information is even contained within the subject of such emails (ex. "​Script Alert for '/​home/​username/​public_html/​sotpie/'"​ for root"​). You can then search the domlogs for the directory location of the script to see exactly which script in that directory is responsible. The following prints out the site, the external IP making the request, and the script being requested in order of increasing number of requests per IP/site:+<WRAP center round info 80%> 
 +SMTP_BLOCK is enabled by default on our servers which prevents traffic for email outgoing on 25, 465 and 587 via php mail and/or smtp mailer scripts. 
 +</​WRAP>​ 
 + 
 +We've already discussed incoming spam briefly as it pertains to DoS attacks. What about outgoing spam? CSF/LFD, which KnownHost provisions our server with by default, is excellent for notifying you of any spam-related activity. Spam scripts may be uploaded via exploit to the sites on the server, and then triggered via POST requests to send spam messages. In this case, you would look for a large number of spam emails in queue , bounce-backs from these emails, RBL listings, and/or notifications from LFD and/or cPanel. ​ 
 + 
 +One of the most reliable methods to find the source of a spam script is to check the domlogs for those POST requests to the script. LFD relay alerts due to spam-sending scripts scripts will usually contain a hint as the location of the script responsible (typically a directory containing the script). This information is even contained within the subject of such emails (ex. "​Script Alert for '/​home/​username/​public_html/​sotpie/'"​ for root"​). You can then search the domlogs for the directory location of the script to see exactly which script in that directory is responsible. ​ 
 + 
 +The following prints out the site, the external IP making the request, and the script being requested in order of increasing number of requests per IP/site:
  
   grep "​sotpie"​ /​usr/​local/​apache/​domlogs/​username/​* | grep POST | awk {'​print $1,​$7'​} | sort | uniq -c | sort -n   grep "​sotpie"​ /​usr/​local/​apache/​domlogs/​username/​* | grep POST | awk {'​print $1,​$7'​} | sort | uniq -c | sort -n
security/misc/checking-access-logs-for-abuse.txt · Last modified: 2019/06/06 17:18 by Jonathan K. W.