Spamming through SFTP connection


Sometimes spamming is done through SFTP connection. In such case you need to check spamming using the following steps:

1. Grep the ssh process and find out the process_id as follows:

================================
# ps -aux |grep ssh

xyz  17853  0.1  0.0  95048  2104 ?        S    18:08   0:08 sshd:
xyz@notty
root     17860  0.0  0.0   5892   700 ?        Ss   18:08   0:00 jailshell
(xyz) [17870] ell -c /usr/libexec/openssh/sftp-server
xyz  17870  0.0  0.0  53892  1992 ?        S    18:08   0:00
/usr/libexec/openssh/sftp-server
=================================

From the above result, you can see that an account xyz has established the
sftp access.

2. You now need to trace this process by:

=================================
strace  -p 17853
=================================

3. If you can see some process in this pid, execute the command given below:

=================================
strace -o output_log  -p 17853
=================================

You will now get a file output_log which contains the output of the processes
run under this pid.

4. If there is no process under this pid, check for the process which gets the
required data.

I am pasting the process of the pid of this sftp connection FYI:

=================================
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
write(14, "RCPT TO:<abc@culpritdomain.net>"..., 34) = 34
read(18, "250 Accepted\r\n", 16384)     = 14
read(19, "250 Accepted\r\n", 16384)     = 14

rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
write(4, "Reply-To: <def@gmail.com"..., 35) = 35
read(9, "250 Accepted\r\n", 16384)      = 14
write(11, "RCPT TO:<ghi@somedomain.com.c"..., 36) = 36
write(12, "RCPT TO:<jkl@someotherdomain.com>\r\n", 32) = 32
read(13, "250 Accepted\r\n", 16384)     = 14
write(14, "RCPT TO:<mno@differentdomain.co"..., 36) = 3
=================================


5. Grep for the email address which is sending spam on the file  output_log. If
that process is the cause, it will show that particular email address.

Thank you.

Comments

Post a Comment

Popular posts from this blog

SVN: File remains in conflict

This error occurs when you didn't update the SVN and try to commit changes or, someone has made changes to this file that are conflicting with your changes. There are two ways to handle this situation. Either, you can revert back the changes you want to commit and then, update the SVN and after that make the changes again and commit. The other way is, you need to resolve the conflicted files one by one. You can keep all the conflicted files in a folder and resolved it at once. >> Revert the changes steps: svn revert . -R svn up >> Resolve the conflicted files: svn resolved <file_name>
Read more

12 tweakings for WHM/cPanel to speed up WordPress

   1. Turning Mailman off – WHM >> Server Configuration >>  Tweak Settings and turning it off    2. Number of minutes between mail server queue runs (default is 60) – Setting it 120    3. Default catch-all/default address behavior for new accounts” to fail    4. Boxtrapper Spam Trap and SpamAssassin Spam Box delivery – off    5. Analog Stats – off    6. Conserve Memory at the expense of using more cpu/diskio – turn on    7. WHM >> Service Configuration >> FTP Server Configuration – Check ‘no’ to ‘allow anonymous logins and ‘no’ to ‘anonymous uploads’    8. WHM >> cPanel >> Manage Plugins – install spamdconf – then go to ‘Setup Spamd Startup Configuration’ – select option 2 ‘Maximum Children” to 2′    9. Run your cron jobs at off peak hours.   10. Install e Accelerator PHP accelerator (Recompile Apache with eAccelerator)   11. Compiling Apache with mod_deflate Gzip Module   12. Running Apache with the thread-based “Worker” MPM
Read more

HowTo: Enable extended logging for exim

When troubleshooting mail or attempting to discover the source of spam originating from your server, it is often useful to enable extended Exim logging. You can enable extended logging for exim though your shell prompt as well as through WHM interface. I am giving the steps for both ways one by one: 1. Through shell prompt: 1. Open exim.conf 2) Find this: hostlist auth_relay_hosts = * 3) After hostlist auth_relay_hosts = * add the following: log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn 4) The final result should look like this hostlist auth_relay_hosts = * log_selector = +address_rewrite +all_parents +arguments +connecti
Read more