我有一个运行Exim的CentOS服务器,安装了一个标准的LAMP堆栈。 问题是有一个过程发送不请自来的电子邮件,我不知道如何find过程。 这是我所做的:
我已经做了一个tail /var/log/exim_mainlog看看是怎么回事。 这是一些输出:
2016-02-14 01:42:00 SMTP connection from (jabosupply.dcr103.com) [255.255.255.255]:33165 closed by QUIT 2016-02-14 01:42:00 1aUlhH-0006fx-UO => cpm147 <[email protected]> R=localuser T=local_delivery 2016-02-14 01:42:00 1aUlhH-0006fx-UO Completed 2016-02-14 01:42:03 1aUlhL-0006gS-RD <= [email protected] H=(site2.com) [255.255.255.255]:54467 P=esmtp S=25154 [email protected]$ 2016-02-14 01:42:04 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhL-0006gS-RD 2016-02-14 01:42:04 1aUlhL-0006gS-RD => cpm147 <[email protected]> R=localuser T=local_delivery 2016-02-14 01:42:04 1aUlhL-0006gS-RD Completed 2016-02-14 01:42:04 SMTP connection from (site2.com) [255.255.255.255]:54467 closed by QUIT 2016-02-14 01:42:05 SMTP connection from [255.255.255.255]:40445 (TCP/IP connection count = 5) 2016-02-14 01:42:05 no host name found for IP address 255.255.255.255 2016-02-14 01:42:11 SMTP connection from [255.255.255.255]:58622 (TCP/IP connection count = 6) 2016-02-14 01:42:12 1aUlhU-0006hP-C9 <= [email protected] H=(site3.com) [255.255.255.255]:48668 P=esmtp S=37419 [email protected]$ 2016-02-14 01:42:12 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1aUlhU-0006hP-C9 2016-02-14 01:42:12 SMTP connection from (site3.com) [255.255.255.255]:48668 closed by QUIT 2016-02-14 01:42:12 1aUlhU-0006hP-C9 => cpm147 <[email protected]> R=localuser T=local_delivery 2016-02-14 01:42:12 1aUlhU-0006hP-C9 Completed 2016-02-14 01:42:17 SMTP connection from [255.255.255.255]:40445 lost 2016-02-14 01:42:17 1aUSE4-0000ZZ-Tp == [email protected] R=dkim_lookuphost defer (-1): host lookup did not complete 2016-02-14 01:42:17 1aUj64-0004bS-6P Message is frozen 2016-02-14 01:42:17 1aULQ4-0002bv-Bs Unfrozen by errmsg timer 2016-02-14 01:42:18 1aULQ4-0002bv-Bs ** alisa_mckinney@site4 R=dkim_lookuphost T=dkim_remote_smtp H=smtp.secureserver.net [255.255.255.255]: SMTP error from remote mail server $ 2016-02-14 01:42:18 1aULQ4-0002bv-Bs alisa_mckinney@site4: error ignored 2016-02-14 01:42:18 1aULQ4-0002bv-Bs Completed
试图通过WHMclosures服务器的邮件 – 这是成功的,但不是一个永久的解决scheme!
完成一个top看到exim进程。 有从0到1到7的任何地方,用root或mailnull用户。 所以托pipe的用户帐户不被识别。
我在想,必须有PERL脚本或PHP脚本运行的地方。 我需要确定它。 任何人都可以帮助我find正在运行的脚本的物理来源。
PS我的服务器是不高的使用,没有任何网站有邮件脚本。 我想这一定是被注入了,所以我也在更改密码。 但我的首要任务是find这个。
如果我的记忆为我服务,cPanel用户必须执行身份validation才能发送邮件。 所以你应该在电子邮件标题中看到'auth_id'字段。 我写了一个检查exim的出站队列的小脚本,find队列中有50多封邮件的id,并删除它们。 希望这对你有用。
#!/usr/bin/perl #Script for deleting spam mails use strict; use warnings; use Net::OpenSSH; my $host = $ARGV[0]; my $ssh2 = Net::OpenSSH->new($host,user=>'root',timeout=>600); my @authids = $ssh2->capture("exiqgrep -i |xargs -I \~ /usr/sbin/exim -Mvh \~ |awk -F'[@ ]' '/auth_id/{print \$NF}' |sort |uniq -c |sort -nrk1"); foreach (@authids) { my @string = split(); if($string[0] > 50) { my $header = "count - $string[0] , offender - $string[1]\n"; my $summary = $ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mvh \$i |awk '/(Subject: |To:|From:)/{print}';fi;done"); print "$summary\n"; print "count - $string[0] , offender - $string[1]\n"; print "Delete [y/n]"; my $line = <STDIN>; chomp($line); if($line eq "y") { print "Prepairing to delete\n"; $ssh2->capture("for i in `exiqgrep -i`; do if [[ \"`/usr/sbin/exim -Mvh \$i |awk -F'[@ ]' '/auth_id/{print \$NF}'`\" == \"$string[1]\" ]]; then /usr/sbin/exim -Mrm \$i;fi;done") or die "remote command failed: " . $ssh2->error; print "Deleted\n"; } } else { last; }
}