I recently found a similar problem, and found out about hack attemps using
lastlog
This command told me who tried to log in thru ssh
Run it as root.
lastlog | grep -v Never
From there you can tell users that most likely have weak passwords or have
passwords similar to their usernames
...We need protection for that...
From there you can start looking for directories related to these accounts
or at least change to stronger passwords
The rest is the same story.
Find spam time,
Look at /var/log/maillog for clues
Grep is your friend
man grep might get you started
Also look at /var/log/httpd/access_log
At that time for strange php scripts.
In our case we were lucky enough to find a php error at
/var/log/httpd/error_log which led us to the offending script
Maybe a perl script to search for this kind of intrusion is needed.
Will look for something preexistent and report back.
It is painful to search logs for 4 hours to discover script kiddies
Or asian guys without jobs.
... complaining does not help much... I know
Good hunting!
HTH
Rodrigo O
Xnet
-----Original Message-----
From: Jim Dory [mailto:jdory (at mark) nomealaska.org]
Sent: Lunes, 29 de Junio de 2009 06:30
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:15758] Re: spam problem w/ email - hope not serious
Dan Kriwitsky wrote:
>
>> [root (at mark) srv1 ~]# find /home/.sites/ -user jenns
>> /home/.sites/106/site3/users/jenns
>>
>
> I would expect the file to be in /home/.sites/106/site3/web/
>
>
The date on that index.html file is Jan. 30, 2003. It is from the old
cobalt-raq when I migrated I guess since it has directories like
/cobalt-images/. /jd
--
Jim Dory
Engineering
City of Nome
PO Box 281
102 Division St.
Nome, AK 99762
907.443.6604
http://www.nomealaska.org
--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.