exim – number of connections
tail -1000 /var/log/exim_mainlog |grep ‘\[' |cut -d[ -f2 |cut -d] -f1|sort -n |uniq -c |sort -n
cppop
tail -1000 /var/log/maillog | grep host= | cut -d= -f2| cut -d” ” -f1|sort -n |uniq -c |sort -n
no of http connections
netstat -plan|grep :80|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
monitor server load and check which domain has attack
watch -n 5 ‘w; ls -alS /usr/local/apache/domlogs/ ‘
HTTP
netstat -pan | sort +4 | grep TIME_WAIT | awk ‘{print $5}’ | sed -e s/’:.*’/”/g | sort | uniq -c | sort -k 1 -nr | head -n 20
to find ddos attack
netstat -an |grep 80
############################
EXIM
tail -3000 /var/log/exim_mainlog |grep ‘rejected RCPT’ |awk ‘{print$4}’|awk -F\[ '{print $2} '|awk -F\] ‘{print $1} ‘|sort | uniq -c | sort -k 1 -nr | head -n 5
attacks from secure/messages
==============================
watch -n 5 “tail -10 /var/log/secure ; echo “==============================” ; cat /proc/loadavg ; echo “==============================” ; tail -10 /var/log/messages”
watch -n 5 “w ; tail -1000 /var/log/exim_mainlog |grep ‘\[' |cut -d[ -f2 |cut -d] -f1|sort -n |uniq -c |sort -n | tail”
&&&&&&&&&&&&&&&&&&&&&&&&&
for i in `ps ax | grep Z | awk {‘print $1′}`;do kill -9 $(cat /proc/${i}/status | grep PPid | awk {‘print $2′});done
to kill zombie processes
##################
Delete frozen mails
exim -bp | awk ‘$6~”frozen” {print $3 }’ | xargs exim -Mrm
There can be lot of frozen messages in the queue which are not delivered
most probably spammed messages. This script deletes them. Only frozen mails.!
############
We can use tmpwatch to remove messages that havent been accessed for a period of time
tmpwatch 24 -v /var/spool/exim/msglog/
tmpwatch 24 -v /var/spool/exim/input/
################
tail -1000 /var/log/exim_mainlog |grep ‘\[' |cut -d[ -f2 |cut -d] -f1|sort -n |uniq -c |sort -n
tail -1000 /var/log/exim_mainlog |grep ‘\[' |cut -d[ -f2 |cut -d] -f1|sort -n |uniq -cd |sort -n
This will count the number of IPs coming in /var/log/exim_mainlog
and sort it and show.
So that you could spot out the IPs which are spamming
############
netstat -plan|grep :80|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -nk 1
This will show the IPs and the number of hits from the IPs to a port
That 80 shows for port 80. U can change it to any port
##############
wget -c http://downloads.rootkit.nl/rkhunter-1.1.1.tar.gz;tar -zxvf rkhunter-1.1.1.tar.gz;cd rkhunter-1.1.1;./inst
aller.sh;
##############################################
scripts for mysqldata bases permission
/scripts/cleanupmysqlprivs
###########################################
