Hi,
We have plesk running, i have running logwatch and i have found a IP adress. I have add it in the IP table to block it then the attack is solved. We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database.
I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/access.log
it do not find any record.
Regards, Manu Verhaegen
-----Oorspronkelijk bericht----- Van: centos-bounces@centos.org [mailto:centos-bounces@centos.org] Namens Pete Verzonden: donderdag 24 december 2009 12:45 Aan: CentOS mailing list Onderwerp: Re: [CentOS] attack
On Thu, 2009-12-24 at 11:31 +0000, Manu Verhaegen wrote:
Hi,
My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script.
Regards, maverh
Hi Maverh,
I know this may sound like a silly question but how do you know your server is under attack ? As others have advised, have you checked your logs on the server ? What are you running that's being attacked ?
/var/log/httpd
/var/log/messages
Regards,
Pete.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hello
On 12/24/2009 12:01 PM, Manu Verhaegen wrote:
We have plesk running, i have running logwatch and i have found a IP adress. I have add it in the IP table to block it then the attack is solved. We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database.
you also have a broken email client, what are the chances that you could:
a) find an email client that preserves thread sanity b) refrain from topposting unless absolutely necessary
Obviously, if you are running several vhosts and plesk you likely have other logs to check. Also, one can usually see the origin of the mail injection in the maillog (e.g. complaints about setting to an unsafe sender) or in the outgoing messages. At runtime you can see the connects with full URLs on the apache status page.
Kai
http://www.atomicorp.com/wiki/index.php/Atomic_Secured_Linux
Wraps a lot of "good stuff" together for a plesk web server on CentOS. Won't help much if you are already compromised, but it would be a good addition.
-Andy
On Thu, 2009-12-24 at 12:01 +0000, Manu Verhaegen wrote:
Hi,
We have plesk running, i have running logwatch and i have found a IP adress. I have add it in the IP table to block it then the attack is solved. We see a lot of outgouing emails a php script is used for sending many emails possible stored in the database.
I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/access.log
it do not find any record.
Regards, Manu Verhaegen
-----Oorspronkelijk bericht----- Van: centos-bounces@centos.org [mailto:centos-bounces@centos.org] Namens Pete Verzonden: donderdag 24 december 2009 12:45 Aan: CentOS mailing list Onderwerp: Re: [CentOS] attack
On Thu, 2009-12-24 at 11:31 +0000, Manu Verhaegen wrote:
Hi,
My server is under attack allows the attacker to abuse of a php script of a vhost. How can I find what is the script.
Regards, maverh
Hi Maverh,
I know this may sound like a silly question but how do you know your server is under attack ? As others have advised, have you checked your logs on the server ? What are you running that's being attacked ?
/var/log/httpd
/var/log/messages
Regards,
Pete.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, Dec 24, 2009 at 2:01 AM, Manu Verhaegen maverh@telenet.be wrote:
I have use the following command grep 'ipadres' /var/www/vhosts/*/statistics/logs/access_log grep 'ipadres' /var/log/httpd/acces
typo - ipadres should be ipaddress? And even with correct spelling, that is probably not what you want to search for.
I think they meant you should replace ipadres with the actual ip address of the attacker... ;-)
-
Andy Sutton -
Dave -
Joost Waversveld -
Kai Schaetzl -
Karanbir Singh -
Manu Verhaegen