Your better bet to determine how and what outbound spam was sent from your host is to go to /var/qmail/queue/messages. Run find ./ and see how many files there are -- if a spammer had a recent outbound attack from your host, withing the last few days, there are hundreds to tens of thousands emails sitting here, the ones that were undeliverable.
If you find messages, view them and see if they are spam. Look closely at the first line of each message. Here is an example of one:
Received: (qmail 23269 invoked by uid 48); 7 Jul 2007 17:31:34 -0700
If the uid listed above ("invoked by uid 48") is the uid of the apache user (which is either nobody, www, apache or www-'something', depending on your OS), it means the spam was sent from apache and most likely means a contact form or similar was compromised. You can then take the date and time listed (7 Jul 2007 17:31:34) and look through the apache access logs (for each domain, it's easy if you script this) for hits that occurred at that time. Most likely you'll find the hit that caused the mail and can remove the script from your server.
This method works about 60% of the time. Some spammers are trickier and install processes used to send spam. To find them, do 'ps -ef | grep $APACHE_USER' and ignore the valid ones showing your webserver, like /usr/sbin/httpd. If you see something like /tmp/a or /usr/sbin/httdp it's 99% sure a hacker script. Finding out how they installed it is a bit tougher.
Facebook
Twitter
