Friday 8 March 2013

Tracking the scripts that send mails on exim


currently running:
# ps -C exim -fH ewww|awk '{for(i=1;i<=40;i++){print $i}}'|sort|uniq -c|grep PWD|sort -n

Few times ago:
# grep "cwd=" /var/log/exim_mainlog|awk '{for(i=1;i<=10;i++){print $i}}'|sort|uniq -c|grep cwd|sort -n

Tracking direct Spammers.(apache):
# netstat -plan |grep :25 | awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort -n

See the IP addresses accessing php files. This will work only in servers running php as CGI.
# ps aeuxf | grep php|awk -F'REMOTE_ADDR=' '{ print $2 }' |cut -d\  -f 1 | uniq -c | sed 's/^[ ]*//'

To get the active php processes running on the server.
# ps aeuxf | grep php | awk -F'SCRIPT_FILENAME=' '{ print $2 }'  |cut -d\  -f 1 | uniq -c |  sed 's/^[ ]*//'

To list the php processes and the time they have been running on the server.
# ps -eo pid,cmd,etime,args --sort:etime | grep php