May 10 08:09:58 pimp pure-ftpd: (?@?) [ERROR] Unable to switch capabilities : Operation not permitted

in the logs.  Well, the answer is at hand.  Rather than looking through countless google entries to find the answer buried on page three or four, just go here, where the folks at newart-design.net have put together the answer. Make sure to yum install first, that way you can chkserv on and use /etc/init.d to control.

This is what happens when I'm under the influence of pain medication, wake up before anyone else in the house, can't get back to sleep, have too much chocolate, don't feel 100%, and am slightly bored...

Now, I just need to figure out if it's possible to include a callout at that point in exim.conf to a perl script that will randomize the connect messages.

Amazon Ideas:

Exim: The Mail Transfer Agent

#!/bin/bash
###############################################
# CLEAN MAIL #
# v0.1 #
# #
# Cleans the mail from default accounts based #
# on cPanel usernames. Create a file in /root #
# called 'doit'. Add one cPanel username per #
# line. That should do nicely. Oh, this will #
# take a while, so run the sucker in screen, #
# mkay, Batman? #
###############################################

# Some dedis have LS_OPTIONS include -a...
# that would be bad for this script.
# so, we reset it.
LS_OPTIONS='-A'

# start the loop...
for i in `cat /root/doit`
do
# Delete from the new folder.
cd /home/$i/mail/new
# can't rm if there's too many, and by using
# an ls and awk, we avoid another loop.
ls -l | awk '{print "rm -fv "$9}'|bash
# Delete from the cur folder.
cd /home/$i/mail/cur
# Comment repetition carefully avoided, here
ls -l | awk '{print "rm -fv "$9}'|bash
done
# NINJAMOJO!

It's simple. Get a list of cPanel usernames, one per line, create a file in /root called 'doit', and slap the usernames in there.  Then, 'bash cleanmail'.

Fortunately, the code was injected as a single line, and was the same in every file, and had the added benefit of being on the top line of the file.  So, I could use abit of perl to remove it, and then a bit of sed magic to remove the blank line left by Perl (because for some reason, it didn't want to remove the newline).

The perl code was relatively straightforward. Using -pi -e, we were able to edit in place each file (with much escapism to avoid regex traps, when in doubt escape anything consider special to regex):

for i in `find -iname "*.php"`;do perl -pi -e s/"\<\?php \/\*\*\/eval\(base64_decode\('SomeObfuscatedCodeHereThatIWontDisplayForObviousReasons'\)\); \?\>"//g $i;done

Once all of the files were edite, and the code removed, we used a quick sed one-liner to remove the line at the beginning of the file, as a lot of php scripts (vBulletin, included) will b0rk if there's anything before the opening <?

for i in `find -iname "*.php"`;do sed '1d' $i > $i.fixed && mv -f $i.fixed $i;done

With those two snippets, I removed the code from around a hundred php files in less than two minutes (the sed work took a bit to process on some files).  Only one file had an issue, and that was the config.php that apparently was not infected.  All-in-all, the ticket resolution took less than 8 minutes, including testing and writing out the reply.  Edit 100 files, remove a bunch of code, test, reply to user in 8 minutes? Not too bad.