Fun ways to find a hacker....

home | blog | Terrible people and places | Covid-19 links | Teh Internet | guest blog |rants | placeholder | political | projects | Gwen and Liam | Citadel patched | Tools | Scouts

So, you have someone sending spam. You only have www-user enabled (no separation of www proc users).
That is a bummer, but you have other tools.

Update: You might just want to skip all this and use ngrep
Give this a shot:
Thanks for the tip Citadel documentation folks! :

ngrep port 80 -W byline

No ngrep on your system? - try this:

tcpdump -s 0 -A -qn port 80

It also uses the tcpdump back end, so you can filter the same way as tcpdump does!

Try this:

In one term window, tcpdump for the traffic you are interested in (narrow as you see fit):

tcpdump -vvvAX -i eth0:0 port 25
(make sure your interface matches the suspect IP if the host is smarthosting).

Once the game is afoot,(in another window):

lsof | grep home
(or /var/www or whatever)....

Look for the suspect paths (like /home/blah/public_html/wp-content/uploads/year/month

Go to that dir and inspect what is likely to be the point of entry.  You still need to determine the cause (most likely a plug-in or outdated core WP blog code).

If the host is based on the webserver running under the user www-user (or whatever your distro calls it).  You can find files with the find command (duh)...
find . -user www-user -group www-user
You might want to omit the graphics files, but they might be suspect as well :-)

Hope that helps.
Much better ways to do it, but thought that was a fun fishing expedition tonight.

More stuff to try: - look for files with big blobs of base64 or other encoded / obfuscated crap:

find . -not -type d -exec file "{}" ";" | grep CRLF | grep "very long"

Drop the grep CRLF if your turd does not mix Windows and Unix line endings.

More fun - see what is changing in real time (logs etc...)
Stole this from (don't remember anymore - sorry)

# Example: loops monitoring events forever.
import pyinotify

# Instanciate a new WatchManager (will be used to store watches).
wm = pyinotify.WatchManager()
# Associate this WatchManager with a Notifier (will be used to report and
# process events).
notifier = pyinotify.Notifier(wm)
# Add a new watch on /tmp for ALL_EVENTS.
wm.add_watch('/var/log/somedir', pyinotify.ALL_EVENTS)
# Loop forever and handle events.