Monday, January 26, 2015

Remedial for hacked incident

 sudo grep '/alias.php\|/Association.php\|/blog.php\|/buffer.php\|/cache.php\|/class.wpcom-json-api-get-media-endpoint.php\|/db.php\|/dirs.php\|/file.php\|/footer.php\|/functions.php\|/global.php\|/idna_convert.class.php\|/info.php\|/menu.php\|/options.php\|/patError.php\|/PlainHTTPFetcher.php\|/shortcodes.php\|/twentyten.php\|/twentythirteen.php\|/utf.php\|/vs3xmo1.php\|/vs3xmo1.php' /var/log/xxx/xx-xx.com_access_log | cut -f 1 -d " " | sort |


find /home/ -type f -iname "*.php" -print0 | xargs -0 grep -i "qV="

https://gist.github.com/facelordgists/5761101

http://houseoflaudanum.com/navigate/snippets/removing-spam-from-postfix-queues/

This command does several things.
  1. Read in the mailqueue
  2. Look for sender address that end with `example.com`
  3. Ignore senders with valid addresses (`david` and `john`)
  4. Deletes all those messages from the queue
$ mailq | tail +2 | grep -v '^ *(' | awk 'BEGIN { RS = "" } { if ($7 ~ "example.com$" && $7 !~ "^david|^john" && $9 == "" ) print $1 } ' | tr -d '*!' | sudo postsuper -d -
http://www.cyberciti.biz/faq/searching-multiple-words-string-using-grep/

http://www.cyberciti.biz/tips/howto-postfix-flush-mail-queue.html


To remove all mail from the queue, enter:
# postsuper -d ALL
To remove all mails in the deferred queue, enter:
# postsuper -d ALL deferred

No comments: