[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] tracking down a spammer on our box

Subject: [ale] tracking down a spammer on our box
From: ryan at jimmyether.com (Ryan Williams)
Date: Sat Apr 2 12:50:50 2005
In-reply-to: <[email protected]>
References: <[email protected]> <[email protected]> <[email protected]>

Andrew Thornton wrote:
> I found another good trick is to look through the mail logs and find the 
> time the email was sent and then compare it against your apache log files.
> 
> Looking for roughly the same timestamp & the account that runs apache, 
> from that you should be able to identify who they are (IP address) and 
> which page is insecure.

If you mean the apache access logs, I've been doing that and I'm not 
seeing any likely matches. I can see in the maillog the time each 
message went out. It's pretty consistent... like ever 30 seconds 2 or 3 
go out. I've tried to match those times with any apache access_logs, but 
there is nothing being logged that is that consistent or even a likely 
script.

FWIW, I've also used rkhunter to check and make sure there are no 
rootkits on the server. We know it's not a user on the server because 
we'd have more header info and be able to see the user in the maillog.

Any tips?

Ryan

Follow-Ups:
- [ale] tracking down a spammer on our box
  - From: jkf at wolfnet.org (Jason Fritcher)

References:
- [ale] tracking down a spammer on our box
  - From: Jerry.Yu at Voicecom.com (Yu, Jerry)
- [ale] tracking down a spammer on our box
  - From: cfowler at outpostsentinel.com (Christopher Fowler)
- [ale] tracking down a spammer on our box
  - From: flux at fictional-realms.com (Andrew Thornton)

Prev by Date: [ale] tracking down a spammer on our box
Next by Date: [ale] Success!! (mostly dumb luck) was Partially corrupt partition table, Mandrake 10.1
Previous by thread: [ale] tracking down a spammer on our box
Next by thread: [ale] tracking down a spammer on our box
Index(es):
- Date
- Thread