Finding compromised scripts

If your server is sending out spam because of some bad scripts, hunt that stuff down:

grep POST /var/log/httpd/access_log | awk '{ print $7 }' | sort | uniq -c | sort -rn

Or on Plesk:

grep POST /home/httpd/vhosts/*/statistics/logs/access_log | awk '{ print $7 }' | sort | uniq -c | sort -rn

This entry was posted on 06/03/2007 (Tuesday) at 12:41 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Printed from: http://rackerhacker.com/2007/03/06/finding-compromised-scripts/ .
© Major Hayden 2012.

1 Comment »

ZaNaToS says:

26.10.07 at 07:29

Hello,

I did run the second command
and I see a very big list like this:

76954 /yshout/yshout.php
2522 /eshop/index.php?target=lh_visitor
439 /forum/mgc_chatbox.php

what should I do with these?

RSS feed for comments on this post

Welcome! I started this blog as a way to give back to all of the other system administrators who have taught me something in the past. Writing these posts brings me a lot of enjoyment and I hope you find the information useful. If you spot something that's incorrect or confusing, please write a comment and let me know. Drop me a line if there's something you want to know more about and I'll do my best to write a post on the topic.

-- Major Hayden