Finding compromised scripts

If your server is sending out spam because of some bad scripts, hunt that stuff down:

grep POST /var/log/httpd/access_log | awk '{ print $7 }' | sort | uniq -c | sort -rn

Or on Plesk:

grep POST /home/httpd/vhosts/*/statistics/logs/access_log | awk '{ print $7 }' | sort | uniq -c | sort -rn

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
This entry was posted on 06/03/2007 (Tuesday) at 12:41 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Printed from: http://rackerhacker.com/2007/03/06/finding-compromised-scripts/ .
© Major Hayden 2010.

1 Comment   »

  • ZaNaToS says:
    26.10.07 at 07:29

    Hello,

    I did run the second command
    and I see a very big list like this:

    76954 /yshout/yshout.php
    2522 /eshop/index.php?target=lh_visitor
    439 /forum/mgc_chatbox.php

    what should I do with these?


RSS feed for comments on this post , TrackBack URI

Leave a Reply