Search for a malicious mail script
Is there a way to search for files or scripts that are sending email within a specific account?
-
Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs. You can very simply do the following: grep cwd /var/log/exim_mainlog
You could also do something more detailed such as the following:[root@server ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n
This will output the path and number of emails sent from that path0 -
Thanks. I'll give it a go and save it for any future issues. 0 -
Yes, the easiest way to do this is look at the exim logs. Mail sent via a script is represented by cwd (current working directory) in the exim logs. You can very simply do the following:
grep cwd /var/log/exim_mainlog
You could also do something more detailed such as the following:[root@server ~]# grep cwd /var/log/exim_mainlog |grep -v /var/spool/ |awk -F "cwd=" '{print $2}' |awk '{print $1}' |sort |uniq -c |sort -n
This will output the path and number of emails sent from that path
Sorry, I just got around to testing this code, but I couldn't make it work? Is there something specific in the way I need to enter the code in terminal or do I just copy and paste?0 -
Sorry, I just got around to testing this code, but I couldn't make it work? Is there something specific in the way I need to enter the code in terminal or do I just copy and paste?
Scratch that. All good. Thanks again0
Please sign in to leave a comment.
Comments
4 comments