Troubleshoot spamming in qmail server

ARUN Posted in ATTACK, MAIL, PLESK BACKEND
0

How to get the mail statistics :

[[email protected] qmail]# /var/qmail/bin/qmail-qstat
messages in queue: 23024
messages in queue but not yet preprocessed: 0
[[email protected] qmail]#

 

How to install and configure maldet scan

ARUN Posted in ATTACK, FIREWALL, INSTALLATION, VIRUS SCAN
0

wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
tar -xzvf maldetect-current.tar.gz
cd maldetect-*
sh install.sh

================================

[     maldet --scan-all  /home/*/public_html/            ---> To scan      ]

[     maldet --report 122111-1532.827                -----> To see the report      ]

[     maldet -q 122111-1532.8272                         ----> To remove the Infected files       ]

maldet(7488): {scan} quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 125211-1258.7488

 

INFECTED FILES LIST in

cd /usr/local/maldetect/sess/

There is a file that start with   session.

SYN FLOOD attack

ARUN Posted in ATTACK
0

To detect syn flood attack

netstat -plan | grep :80 | grep SYN_RECV | wc -l

Troubleshoot Spamming 2

ARUN Posted in ATTACK, MAIL, SPAMMING
0

Get details of scripts that are used to send out spam emails :

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

Eximstats

eximstats -t5 /var/log/exim_mainlog > teststats

Script to know the mail count by various accounts

grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n

The number of mails by a domain

exigrep @domain.com /var/log/exim_mainlog|grep 2009-04-17|grep Completed|wc -l

1)Issue this command: ps -C exim -fH ewww |grep home, it shows the mails going from the server.
It shows from which user’s home the mail is going, so that you can easily trace it and block it if needed.

2)Issue this command: eximstats -ne -nr /var/log/exim_mainlog
It shows top 50 domains using mail server with options.

3)Issue this command: exim -bp | exiqsumm
It shows the main domains receiving and sending mails on the server.

4)Issue this command:    netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
It shows the IPs which are connected to server through port number 25. It one particular Ip is using more than 10 connection you can block it in the server firewall.
5)In order to find “nobody” spamming, issue the following command
ps -C exim -fH ewww|awk ‘{for(i=1;i<=40;i++){print $i}}’|sort|uniq -c|grep PWD|sort -n
It will give some result like:
Example :
6 PWD=/
347 PWD=/home/sample/public_html/test
Count the PWD and if it is a large value check the files in the directory listed in PWD
(Ignore if it is / or /var/spool/mail /var/spool/exim)

The above command is valid only if the spamming is currently in progress. If the spamming has happened some hours before, use the following command.

Command :
grep “cwd=” /var/log/exim_mainlog|awk ‘{for(i=1;i<=10;i++){print $i}}’|sort|uniq -c|grep cwd|sort -n
This will result in something like :
47 cwd=/root
8393 cwd=/home/sample/public_html/test

Count the cwd and if it is a large value check the files in the directory listed in cwd
(Ignore if it is / or /var/spool/mail /var/spool/exim)

Pass the below mentioned command at your command prompt to find the domain which is being used by spammers.

exim -bpr | exiqsumm -c | head

Then,

exiqgrep -ir <domain> | xargs -n1 exim -Mrm

That should remove any e-mail that is in the queue that is waiting to be delivered to POP accounts at <domain>.

Precautions:
1)Turn on the SMTP tweak. It will block the users to bypass the mail server for sending out spam.
2)Turn on blacklisting ability in whm.
3)Use spamassassin to stop receiving spam mails.

How to clear the brute force database

ARUN Posted in ATTACK, MYSQL
0

When you are blocked by brute force try the below command to clear the database.

SSH to server

mysql -u user -p

mysql> connect cphulkd;

mysql> select IP, BRUTETIME from brutes order by BRUTETIME;

mysql> delete from brutes;

Qmail queue remove

ARUN Posted in ATTACK, MAIL
0

http://www.linuxmagic.com/opensource/qmail/qmail-remove/

Ddos attack

ARUN Posted in ATTACK, LOAD
0

Check which IP address is taking maximum connection using the command:
netstat -alpn | grep :80 | awk ‘{print $5}’ | cut -d: -f1 |sort |uniq -c

Check the IP address of the server having maximum connection using the command:
netstat -alpn | grep :80 | awk ‘{print $4}’ | cut -d: -f1 |sort |uniq -c