1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

possible compromised server

Discussion in 'Plesk for Linux - 8.x and Older' started by bob2, Mar 29, 2006.

  1. bob2

    bob2 Guest

    0
     
    I am having an issue where alot of spam seems to be coming from either root or localhost. I thought it may be another compromised mail form. But I am seeing a process running as perl and the following after it perl.txt list.txt and then the subject of the spam that is going out. I have searched my server for either perl.txt and list.txt and all it lists is /dev/shm/.../list.txt or the same with perl.txt. Any help would be appreciated.
     
  2. rvdmeer

    rvdmeer Guest

    0
     
    Could it be your cronjobs sending these mails?
    if so.. you could make the crontab (/etc/crontab) mail var empty like:

    [root@vite opt]# cat /etc/crontab
    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=
    HOME=/

    # run-parts
    01 * * * * root run-parts /etc/cron.hourly
    02 4 * * * root run-parts /etc/cron.daily
    22 4 * * 0 root run-parts /etc/cron.weekly
    42 4 1 * * root run-parts /etc/cron.monthly
     
  3. bob2

    bob2 Guest

    0
     
    It isn't a cron job. I am getting random e-mail subjects that have a spanish subject and all of them are forged to look like they are coming from a .com.br domain.
     
  4. rvdmeer

    rvdmeer Guest

    0
     
    If you check the running processes... anything strange running?

    ps aux

    Maybe its an idea to put your output here so i can have a look at what kind of processes are running.

    You could also run a TOP process with updating every second and just see if there is something strange.

    top

    (typ after starting top: cas1 to get an up2date full parameter proces view)
     
  5. bob2

    bob2 Guest

    0
     
    And here is a ps -ax when the process was running.

    PID TTY STAT TIME COMMAND
    1 ? S 0:06 init
    2 ? SW 0:01 [keventd]
    3 ? SW 0:00 [kapmd]
    4 ? SWN 0:00 [ksoftirqd/0]
    7 ? SW 0:00 [bdflush]
    5 ? SW 1:01 [kswapd]
    6 ? SW 4:52 [kscand]
    8 ? SW 0:00 [kupdated]
    9 ? SW 0:00 [mdrecoveryd]
    17 ? SW 0:00 [scsi_eh_0]
    18 ? SW 0:00 [scsi_eh_1]
    21 ? DW 11:18 [kjournald]
    80 ? SW 0:00 [khubd]
    488 ? SW 0:35 [kjournald]
    489 ? DW 14:35 [kjournald]
    3043 ? D 6:05 syslogd -m 0
    3047 ? S 0:00 klogd -x
    3075 ? S 0:00 portmap
    3095 ? S 0:00 rpc.statd
    3108 ? S 0:00 mdadm --monitor --scan -f
    3179 ? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-sc
    ripts/apmscript
    3263 ? S 0:00 /usr/sbin/sshd
    : ESC[B 3605 ? S 0:00 gpm -t ps/2 -m /dev/mouse
    : ESC[B 3760 ? S 0:00 crond
    : ESC[B 3784 ? S 0:00 xfs -droppriv -daemon
    : ESC[B 3794 ? S 0:00 /usr/sbin/atd
    : ESC[B 3805 ? S 0:00 rhnsd --interval 240
    : ESC[B 3816 ? S 0:00 /usr/bin/python /var/mailman/bin/mailmanctl -s -q sta
    : ESC[Brt
    : ESC[B 3817 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Arc
    : ESC[BhRunner:0:1 -s
    : ESC[B 3818 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Bou
    : ESC[BnceRunner:0:1 -s
    : ESC[B 3819 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Com
    : ESC[BmandRunner:0:1 -s
    : ESC[B 3820 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Inc
    : ESC[BomingRunner:0:1 -s
    : ESC[B 3821 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=New
    : ESC[BsRunner:0:1 -s
    : ESC[B 3822 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Out
    : ESC[BgoingRunner:0:1 -s
    : ESC[B 3823 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Vir
    : ESC[BginRunner:0:1 -s
    : ESC[B 3824 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Ret
    : ESC[BryRunner:0:1 -s
    : ESC[B 3832 ? S 0:00 login -- root
    : ESC[B 3833 tty2 S 0:00 /sbin/mingetty tty2
    : ESC[B 3834 tty3 S 0:00 /sbin/mingetty tty3
    : ESC[B 3835 tty4 S 0:00 /sbin/mingetty tty4
    : ESC[B 3836 tty5 S 0:00 /sbin/mingetty tty5
    : ESC[B 3837 tty6 S 0:00 /sbin/mingetty tty6
    : ESC[B 3840 tty1 S 0:00 -bash
    : ESC[B10937 ? S 0:34 /usr/sbin/httpd -k graceful
    : ESC[B 9594 ? S 0:00 sshd: root@pts/1
    : ESC[B 9596 pts/1 S 0:00 -bash
    : ESC[B14385 ? S 0:00 cupsd
    : ESC[B16260 ? S 0:00 CROND
    : ESC[B16261 ? S 0:00 /bin/bash /usr/bin/run-parts /etc/cron.daily
    : ESC[B17550 ? S 0:00 bin/qmail-inject -a -- root
    : ESC[B17551 ? S 0:00 bin/qmail-queue
    : ESC[B20162 ? S 0:04 xinetd -stayalive -pidfile /var/run/xinetd.pid
    : ESC[B20175 ? S 0:00 /usr/sbin/named -u named -c /etc/named.conf -u named
    : ESC[B-t /var/named/run-root
    : ESC[B20192 ? S 0:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.
    : ESC[Bcnf
    : ESC[B20223 ? S 0:46 qmail-rspawn
    : ESC[B20229 ? S 2:26 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --bas
    : ESC[Bedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysql
    : ESC[Bd.pid --skip-locking
    : ESC[B20261 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
    : ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd -
    : ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143
    : ESC[B/usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/libexec/authlib/authp
    : ESC[B20267 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd
    : ESC[B20273 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
    : ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd-s
    : ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentloo
    : ESC[Bkup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
    : ESC[B20275 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd-ssl
    : ESC[B20283 ? S 0:05 /usr/lib/courier-imap/libexec/couriertcpd -address=0
    : ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d -
    : ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110
    : ESC[B/usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/libexec/authlib/authp
    : ESC[B20286 ? S 0:02 /usr/lib/courier-imap/sbin/courierlogger pop3d
    : ESC[B20294 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
    : ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d-s
    : ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentloo
    : ESC[Bkup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
    : ESC[B20296 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger pop3d-ssl
    : ESC[B20360 ? S 0:00 /usr/bin/spamd -d -c -a -m5 -H
    : ESC[B20377 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
    : ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_full.pid --sock
    : ESC[Betpath=/tmp/spamd_full.sock --siteconfigpath=/dev/null
    : ESC[B20386 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
    : ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_light.pid --soc
    : ESC[Bketpath=/tmp/spamd_light.sock
    : ESC[B20442 ? S 0:06 /usr/java/j2sdk1.4.2/bin/java -Djava.endorsed.dirs= -
    : ESC[Bclasspath /usr/java/j2sdk1.4.2/lib/tools.jar:/var/tomcat4/bin/bootstrap.jar -Dja
    : ESC[Bva.security.manager -Djava.security.policy==/var/tomcat4/conf/catalina.policy -D
    : ESC[Bcatalina.base=/var/tomcat4 -Dcatalina.home=/var/tomcat4 -Djava.io.tmpdir=/var/to
    : ESC[B20526 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B20537 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B20542 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B20544 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B20545 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B20547 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B20548 ? S 0:00
     
  6. bob2

    bob2 Guest

    0
     
    Here is the rest.

    /usr/local/psa/admin/bin/httpsd
    : ESC[B 5973 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B15028 ? S 0:01 /usr/sbin/httpd -k graceful
    : ESC[B24379 ? S 0:01 /usr/sbin/httpd -k graceful
    : ESC[B29126 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B29207 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B29466 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B29586 ? S 0:00 /usr/local/psa/admin/bin/httpsd
    : ESC[B29655 ? Z 0:00 [httpsd <defunct>]
    : ESC[B29856 ? Z 0:00 [httpsd <defunct>]
    : ESC[B32616 ? Z 0:00 [sh <defunct>]
    : ESC[B32624 ? S 0:00 inetd
    : ESC[B 7057 ? S 1:30 perl perl.txt list.txt bferrari_19@isbt.com.br Bruna
    : ESC[BFerrari te envio uma mensagem. car.htm
    : ESC[B11321 ? S 0:07 proftpd: hamcam - 12.150.233.82: IDLE
    : ESC[B23644 ? S 0:00 qmail-remote apsa.com.br root@plesk.sonet.net cmachad
    : ESC[Bo@apsa.com.br
    : ESC[B28452 ? S 0:00 qmail-remote sirat.com.br root@plesk.sonet.net comerc
    : ESC[Bial@sirat.com.br
    : ESC[B 2004 ? S 0:00 qmail-remote vapnet.com.br root@plesk.sonet.net cftp@
    : ESC[Bvapnet.com.br
    : ESC[B 3454 ? S 0:00 qmail-remote brfree.com.br root@plesk.sonet.net china
    : ESC[Bmetal@brfree.com.br
    : ESC[B 4540 ? S 0:00 qmail-remote geocities.com root@plesk.sonet.net chris
    : ESC[Blov@geocities.com
    : ESC[B 5427 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net chui@y
    : ESC[Bahoo.com.br
    : ESC[B 9049 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net cintia
    : ESC[B_linda@yahoo.com.br
    : ESC[B16919 ? S 0:00 qmail-remote berneck.com.br root@plesk.sonet.net coml
    : ESC[B@berneck.com.br
    : ESC[B18846 ? S 0:00 qmail-remote cdlnet.com.br root@plesk.sonet.net conta
    : ESC[Bdor@cdlnet.com.br
    : ESC[B22201 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B24661 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net cgrafi
    : ESC[Bca@yahoo.com.br
    : ESC[B25424 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net chalme
    : ESC[Bs@yahoo.com.br
    : ESC[B29897 ? S 0:00 qmail-remote geocities.com root@plesk.sonet.net cinho
    : ESC[B@geocities.com
    : ESC[B31965 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net cinw@uol
    : ESC[B.com.br
    : ESC[B 2907 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net claudia.
    : ESC[Bsr@uol.com.br
    : ESC[B 2973 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net claytonc
    : ESC[B@uol.com.br
    : ESC[B 3251 ? S 0:00 qmail-remote estacio.br root@plesk.sonet.net cleyde@e
    : ESC[Bstacio.br
    : ESC[B 3747 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net cleitona
    : ESC[Bndre@uol.com.br
    : ESC[B 9101 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net cattt_
    : ESC[Bwoman@yahoo.com.br
    : ESC[B 9312 ? S 0:00 qmail-remote larsoft.com.br root@plesk.sonet.net cont
    : ESC[Babil.maranata@larsoft.com.br
    : ESC[B11253 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net celsos
    : ESC[Br2@yahoo.com.br
    : ESC[B11640 pts/1 D 0:06 qmail-send
    : ESC[B11642 pts/1 S 0:00 splogger qmail
    : ESC[B11643 pts/1 S 0:00 qmail-lspawn ./Maildir/
    : ESC[B11644 pts/1 S 0:00 qmail-rspawn
    : ESC[B11645 pts/1 S 0:00 qmail-clean
    : ESC[B11821 pts/1 S 0:00 qmail-remote my.love.djidai.com zenbavermae@my.love.
    : ESC[Bdjidai.com
    : ESC[B11907 pts/1 S 0:00 qmail-remote my.maxi4u.com dontaylor@my.maxi4u.com
    : ESC[B12093 ? S 0:00 sshd: root@pts/0
    : ESC[B12169 pts/1 S 0:00 qmail-remote yahoo.fr root@plesk.sonet.net hotel_lefo
    : ESC[Buta@yahoo.fr
    : ESC[B12256 pts/0 S 0:00 -bash
    : ESC[B12337 ? SN 0:00 /bin/sh /etc/cron.daily/slocate.cron
    : ESC[B12338 ? S 0:00 awk -v progname=/etc/cron.daily/slocate.cron progname
    : ESC[B {????? print progname ":\n"????? progname="";???? }???? { print
    : ESC[B; }
    : ESC[B12340 ? RN 0:02 /usr/bin/updatedb -f NFS,SMBFS,NCPFS,PROC,DEVPTS -e /
    : ESC[Btmp,/var/tmp,/usr/tmp,/afs,/net
    : ESC[B13561 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B13608 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B13619 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B13630 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B13631 ? S 0:00 /usr/sbin/httpd -k graceful
    : ESC[B14114 pts/1 S 0:00 qmail-remote velox.com.br root@plesk.sonet.net jberic
    : ESC[Beira@velox.com.br
    : ESC[B14467 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
    : ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
    : ESC[B15002 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
    : ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
    : ESC[B15552 pts/1 S 0:00 qmail-remote tre-to.gov.br root@plesk.sonet.net pagam
    : ESC[Bentopessoal@tre-to.gov.br
    : ESC[B15566 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
    : ESC[Bb/courier-imap/bin/pop3d Maildir
    : ESC[B15569 pts/1 S 0:00 qmail-remote tre-to.gov.br root@plesk.sonet.net Socia
    : ESC[Blcomunicacaosocial@tre-to.gov.br
    : ESC[B15574 ? S 0:00 plugins/chkrcptto
    : ESC[B15584 pts/1 S 0:00 qmail-remote tre-mg.gov.br root@plesk.sonet.net sj@tr
    : ESC[Be-mg.gov.br
    : ESC[B15587 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
    : ESC[Bb/courier-imap/bin/pop3d Maildir
    : ESC[B15589 ? S 0:00 bin/qmail-inject -H --
    : ESC[B15590 ? R 0:00 bin/qmail-queue
    : ESC[B15592 pts/1 R 0:00 ps -ax
    : ESC[B15593 pts/1 R 0:00 less
    : ESC[B15594 pts/1 S 0:00 qmail-remote tre-mg.gov.br root@plesk.sonet.net zona0

    The process listed as
    perl perl.txt list.txt ferrari_19@isbt.com.br Bruna
    is where I think it may be coming from.
     
  7. rvdmeer

    rvdmeer Guest

    0
     
    Well it doesnt look good and i would suggest scanning the complete server with anti virus/trojan (clamav) software.

    Also check out: http://www.chkrootkit.org/
     
  8. bob2

    bob2 Guest

    0
     
    Thanks for the help. Thankfully the server was not compromised. I found a mail form handler that had not been updated to the latest version and that is where the spam was coming from.
     
Loading...