====== Bots ====== TODO 1. Determine the processes that are running. 2. Set a firewall. 3. Put a sniffer on your network cable and watch if there is any in-/outgoing traffic without doing anything (and having internet browsers, mail, chat and torrent clients 4. netstat -a 5. Install clamav 6. use in-ssh AllowUsers/DenyUsers options for handling users. 7. chkrootkit / rootkit hunter / ossec. 8. aide / tripwire. add the following capabilities to your mailserver - greylisting - sender policy framework - www.openspf.org - rbls - at least spamhaus further more, there are fine tune settings which can be made @ MTA level (header/body checks, etc) mod_security is a step in the right direction, Look at what ports have services listening on them, then look at the configuration of all those services and make sure they are all legitimate. Then look at your firewall configuration and lock down ports that you don't need, both in and outbound. Then install RKHunter etc to see if some script-kiddie dropped a root kit in there messily. A good firewall can also help. While a firewall won't stop a botnet infection per se, it can block the network ports used by botnet controllers to point and shot the botnet software. while botnets used to use such relatively obscure ports as IRC's (Internet Relay Chat) TCP 6660-6669, which were easy to block. "Now," as Manky noted, "they have evolved to use common ports such as HTTP (80) and HTTPS (443) but with common protocols, that are encrypted with their own algorithms to evade detection. Peer-to-peer networks have also been established to make the botnet more bullet-proof to take down." What about this script, this will also find php script sending spam find / -type f -name ".php" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log prints destination of all email which sent from your server: grep 'to=<[a-z0-9_\.-]\+@[\da-z\.-]\+\.[a-z\.]\{2,6\}>' -o /var/log/maillog http://serverfault.com/questions/127100/blocking-a-distributed-consistent-spam-attack-could-it-be-something-more-serio?rq=1 apache access log My first step would be to stop as many as I could to buy some time to get a handle on the situation. Grok out the IP addresses.. grep 'blog/2009/11/23/another' log | awk '{print $2}' > iplist Generate the iptables rules.. sed 's/^/iptables -A INPUT -s /g' iplist | sed 's/$/ -j DROP/g' > drop.sh And drop them, using what you just made.. sh drop.sh Somebody is checking if your server is a open proxy by requesting: GET http://xchecker.net/tmp_proxy2012/http/engine.php HTTP/1.0 i too keep getting hit from this bot i've just added this in my .htaccess RewriteEngine on # Options +FollowSymlinks RewriteCond %{HTTP_REFERER} xchecker\.net [NC] RewriteRule .* - [F] If you wan't to stop the 404's, you can put this on top of your vhost configuration: RedirectMatch permanent ^/?(.*) http://myrealwebsite.com/