Re: apache compromised to send spam, need way to check file access

From: Ohmster (notareal_at_emailaddress.com)
Date: 04/25/05 

Date: Mon, 25 Apr 2005 12:28:43 GMT

"Dave {Reply Address in.sig}" <noone$$@llondel.org> wrote in
news:5702848.IE1brrojB9@robinton.llondel.org:

> [snip]
>
> Do you have any apache log files? Often found in /var/log/httpd.
>
> If so, have a look through them and see if any .pl, .php, .cgi, etc
> files are being accessed. Check your cgi-bin directory (on RH9 it may
> be /var/www/cgi-bin) for such files. Of course, if your machine has
> been compromised rather than just leaving a mail-capable executable
> where others can find it, then you've got bigger problems that require
> a complete re-install.
>
> --
> Dave

Yeah. Tried that yesterday but I cannot figure out how to grep the output
of "cat *" in /var/log/httpd or at least each set of logs at a time such
as "grep access*" and then filter out specifically for .pl, .cgi, or
.php. Just using the letters gave me far too much irrelevent output,
these logs are freaking huge and there are lots of them. Trying to grep
with the . such as .pl did not seem to work. There must be a better
way...

Don't believe the machine has been compromised as no evidence of it,
other than apache spamming the public now and apache would do this with
any one of several files it can use in the www roots to email with? Wish
there were more evidence in the mails as to what file or file(s) are
doing this. Have to watch this now more closely. Have not totally ruled
out a compromised host, will watch very closely, not taking your advice
lightly. If you have anymore suggesgtions, please feel free to express
them, I am watching.

Thanks Dave. 

-- 
~Ohmster
ohmster at newsguy dot com

Relevant Pages