[ale] tracking down a spammer on our box

Ryan Williams ryan at jimmyether.com
Sat Apr 2 12:50:50 EST 2005


Andrew Thornton wrote:
> I found another good trick is to look through the mail logs and find the 
> time the email was sent and then compare it against your apache log files.
> 
> Looking for roughly the same timestamp & the account that runs apache, 
> from that you should be able to identify who they are (IP address) and 
> which page is insecure.

If you mean the apache access logs, I've been doing that and I'm not 
seeing any likely matches. I can see in the maillog the time each 
message went out. It's pretty consistent... like ever 30 seconds 2 or 3 
go out. I've tried to match those times with any apache access_logs, but 
there is nothing being logged that is that consistent or even a likely 
script.

FWIW, I've also used rkhunter to check and make sure there are no 
rootkits on the server. We know it's not a user on the server because 
we'd have more header info and be able to see the user in the maillog.

Any tips?

Ryan



More information about the Ale mailing list