spam and bad process trace
Scot L. Harris
webid at cfl.rr.com
Tue Aug 1 18:22:40 UTC 2006
On Tue, 2006-08-01 at 15:25 +0530, Kaushal Shriyan wrote:
> Hi ALL
>
> I am looking solution for find spamming or bad process script which is
> running using tmp location.
> /proc/PID give more info.
> if i run
> ll /proc/* |grep cwd
> it will show current working directory
> if we try to search ll /proc/* how can we find who is sending spamming
> currently
> my simple question is i would like to search scripts from tmp and i
> would like to trace process from proc/ bad process or spam process.
>
If you suspect the system was compromised and has a spam package
installed it is likely that other parts of the system have been
compromised as well, including the ps command and other utilities. In
that case ps and other commands may not report the process you are
looking for. It sounds like you are convinced the box is spewing spam,
you best bet is to shut it down and reload it from a known good backup.
Even if you did track down the specific script, which would most likely
require you to examine all items under /tmp manually, the spammer may
have a back door installed that they will use to install the spam
package again, or since you obviously tried to remove the first one they
might just trash the system.
Best bet is to re-install and secure the system.
More information about the fedora-list
mailing list