• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

possible compromised server

B

bob2

Guest
I am having an issue where alot of spam seems to be coming from either root or localhost. I thought it may be another compromised mail form. But I am seeing a process running as perl and the following after it perl.txt list.txt and then the subject of the spam that is going out. I have searched my server for either perl.txt and list.txt and all it lists is /dev/shm/.../list.txt or the same with perl.txt. Any help would be appreciated.
 
Could it be your cronjobs sending these mails?
if so.. you could make the crontab (/etc/crontab) mail var empty like:

[root@vite opt]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
 
It isn't a cron job. I am getting random e-mail subjects that have a spanish subject and all of them are forged to look like they are coming from a .com.br domain.
 
If you check the running processes... anything strange running?

ps aux

Maybe its an idea to put your output here so i can have a look at what kind of processes are running.

You could also run a TOP process with updating every second and just see if there is something strange.

top

(typ after starting top: cas1 to get an up2date full parameter proces view)
 
And here is a ps -ax when the process was running.

PID TTY STAT TIME COMMAND
1 ? S 0:06 init
2 ? SW 0:01 [keventd]
3 ? SW 0:00 [kapmd]
4 ? SWN 0:00 [ksoftirqd/0]
7 ? SW 0:00 [bdflush]
5 ? SW 1:01 [kswapd]
6 ? SW 4:52 [kscand]
8 ? SW 0:00 [kupdated]
9 ? SW 0:00 [mdrecoveryd]
17 ? SW 0:00 [scsi_eh_0]
18 ? SW 0:00 [scsi_eh_1]
21 ? DW 11:18 [kjournald]
80 ? SW 0:00 [khubd]
488 ? SW 0:35 [kjournald]
489 ? DW 14:35 [kjournald]
3043 ? D 6:05 syslogd -m 0
3047 ? S 0:00 klogd -x
3075 ? S 0:00 portmap
3095 ? S 0:00 rpc.statd
3108 ? S 0:00 mdadm --monitor --scan -f
3179 ? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-sc
ripts/apmscript
3263 ? S 0:00 /usr/sbin/sshd
: ESC[B 3605 ? S 0:00 gpm -t ps/2 -m /dev/mouse
: ESC[B 3760 ? S 0:00 crond
: ESC[B 3784 ? S 0:00 xfs -droppriv -daemon
: ESC[B 3794 ? S 0:00 /usr/sbin/atd
: ESC[B 3805 ? S 0:00 rhnsd --interval 240
: ESC[B 3816 ? S 0:00 /usr/bin/python /var/mailman/bin/mailmanctl -s -q sta
: ESC[Brt
: ESC[B 3817 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Arc
: ESC[BhRunner:0:1 -s
: ESC[B 3818 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Bou
: ESC[BnceRunner:0:1 -s
: ESC[B 3819 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Com
: ESC[BmandRunner:0:1 -s
: ESC[B 3820 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Inc
: ESC[BomingRunner:0:1 -s
: ESC[B 3821 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=New
: ESC[BsRunner:0:1 -s
: ESC[B 3822 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Out
: ESC[BgoingRunner:0:1 -s
: ESC[B 3823 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Vir
: ESC[BginRunner:0:1 -s
: ESC[B 3824 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Ret
: ESC[BryRunner:0:1 -s
: ESC[B 3832 ? S 0:00 login -- root
: ESC[B 3833 tty2 S 0:00 /sbin/mingetty tty2
: ESC[B 3834 tty3 S 0:00 /sbin/mingetty tty3
: ESC[B 3835 tty4 S 0:00 /sbin/mingetty tty4
: ESC[B 3836 tty5 S 0:00 /sbin/mingetty tty5
: ESC[B 3837 tty6 S 0:00 /sbin/mingetty tty6
: ESC[B 3840 tty1 S 0:00 -bash
: ESC[B10937 ? S 0:34 /usr/sbin/httpd -k graceful
: ESC[B 9594 ? S 0:00 sshd: root@pts/1
: ESC[B 9596 pts/1 S 0:00 -bash
: ESC[B14385 ? S 0:00 cupsd
: ESC[B16260 ? S 0:00 CROND
: ESC[B16261 ? S 0:00 /bin/bash /usr/bin/run-parts /etc/cron.daily
: ESC[B17550 ? S 0:00 bin/qmail-inject -a -- root
: ESC[B17551 ? S 0:00 bin/qmail-queue
: ESC[B20162 ? S 0:04 xinetd -stayalive -pidfile /var/run/xinetd.pid
: ESC[B20175 ? S 0:00 /usr/sbin/named -u named -c /etc/named.conf -u named
: ESC[B-t /var/named/run-root
: ESC[B20192 ? S 0:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.
: ESC[Bcnf
: ESC[B20223 ? S 0:46 qmail-rspawn
: ESC[B20229 ? S 2:26 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --bas
: ESC[Bedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysql
: ESC[Bd.pid --skip-locking
: ESC[B20261 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd -
: ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143
: ESC[B/usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/libexec/authlib/authp
: ESC[B20267 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd
: ESC[B20273 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd-s
: ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentloo
: ESC[Bkup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
: ESC[B20275 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd-ssl
: ESC[B20283 ? S 0:05 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d -
: ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110
: ESC[B/usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/libexec/authlib/authp
: ESC[B20286 ? S 0:02 /usr/lib/courier-imap/sbin/courierlogger pop3d
: ESC[B20294 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d-s
: ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentloo
: ESC[Bkup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
: ESC[B20296 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger pop3d-ssl
: ESC[B20360 ? S 0:00 /usr/bin/spamd -d -c -a -m5 -H
: ESC[B20377 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
: ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_full.pid --sock
: ESC[Betpath=/tmp/spamd_full.sock --siteconfigpath=/dev/null
: ESC[B20386 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
: ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_light.pid --soc
: ESC[Bketpath=/tmp/spamd_light.sock
: ESC[B20442 ? S 0:06 /usr/java/j2sdk1.4.2/bin/java -Djava.endorsed.dirs= -
: ESC[Bclasspath /usr/java/j2sdk1.4.2/lib/tools.jar:/var/tomcat4/bin/bootstrap.jar -Dja
: ESC[Bva.security.manager -Djava.security.policy==/var/tomcat4/conf/catalina.policy -D
: ESC[Bcatalina.base=/var/tomcat4 -Dcatalina.home=/var/tomcat4 -Djava.io.tmpdir=/var/to
: ESC[B20526 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B20537 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20542 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20544 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20545 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20547 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20548 ? S 0:00
 
Here is the rest.

/usr/local/psa/admin/bin/httpsd
: ESC[B 5973 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B15028 ? S 0:01 /usr/sbin/httpd -k graceful
: ESC[B24379 ? S 0:01 /usr/sbin/httpd -k graceful
: ESC[B29126 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29207 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29466 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29586 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29655 ? Z 0:00 [httpsd <defunct>]
: ESC[B29856 ? Z 0:00 [httpsd <defunct>]
: ESC[B32616 ? Z 0:00 [sh <defunct>]
: ESC[B32624 ? S 0:00 inetd
: ESC[B 7057 ? S 1:30 perl perl.txt list.txt [email protected] Bruna
: ESC[BFerrari te envio uma mensagem. car.htm
: ESC[B11321 ? S 0:07 proftpd: hamcam - 12.150.233.82: IDLE
: ESC[B23644 ? S 0:00 qmail-remote apsa.com.br [email protected] cmachad
: ESC[[email protected]
: ESC[B28452 ? S 0:00 qmail-remote sirat.com.br [email protected] comerc
: ESC[[email protected]
: ESC[B 2004 ? S 0:00 qmail-remote vapnet.com.br [email protected] cftp@
: ESC[Bvapnet.com.br
: ESC[B 3454 ? S 0:00 qmail-remote brfree.com.br [email protected] china
: ESC[[email protected]
: ESC[B 4540 ? S 0:00 qmail-remote geocities.com [email protected] chris
: ESC[[email protected]
: ESC[B 5427 ? S 0:00 qmail-remote yahoo.com.br [email protected] chui@y
: ESC[Bahoo.com.br
: ESC[B 9049 ? S 0:00 qmail-remote yahoo.com.br [email protected] cintia
: ESC[[email protected]
: ESC[B16919 ? S 0:00 qmail-remote berneck.com.br [email protected] coml
: ESC[[email protected]
: ESC[B18846 ? S 0:00 qmail-remote cdlnet.com.br [email protected] conta
: ESC[[email protected]
: ESC[B22201 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B24661 ? S 0:00 qmail-remote yahoo.com.br [email protected] cgrafi
: ESC[[email protected]
: ESC[B25424 ? S 0:00 qmail-remote yahoo.com.br [email protected] chalme
: ESC[[email protected]
: ESC[B29897 ? S 0:00 qmail-remote geocities.com [email protected] cinho
: ESC[[email protected]
: ESC[B31965 ? S 0:00 qmail-remote uol.com.br [email protected] cinw@uol
: ESC[B.com.br
: ESC[B 2907 ? S 0:00 qmail-remote uol.com.br [email protected] claudia.
: ESC[[email protected]
: ESC[B 2973 ? S 0:00 qmail-remote uol.com.br [email protected] claytonc
: ESC[[email protected]
: ESC[B 3251 ? S 0:00 qmail-remote estacio.br [email protected] cleyde@e
: ESC[Bstacio.br
: ESC[B 3747 ? S 0:00 qmail-remote uol.com.br [email protected] cleitona
: ESC[[email protected]
: ESC[B 9101 ? S 0:00 qmail-remote yahoo.com.br [email protected] cattt_
: ESC[[email protected]
: ESC[B 9312 ? S 0:00 qmail-remote larsoft.com.br [email protected] cont
: ESC[[email protected]
: ESC[B11253 ? S 0:00 qmail-remote yahoo.com.br [email protected] celsos
: ESC[[email protected]
: ESC[B11640 pts/1 D 0:06 qmail-send
: ESC[B11642 pts/1 S 0:00 splogger qmail
: ESC[B11643 pts/1 S 0:00 qmail-lspawn ./Maildir/
: ESC[B11644 pts/1 S 0:00 qmail-rspawn
: ESC[B11645 pts/1 S 0:00 qmail-clean
: ESC[B11821 pts/1 S 0:00 qmail-remote my.love.djidai.com [email protected].
: ESC[Bdjidai.com
: ESC[B11907 pts/1 S 0:00 qmail-remote my.maxi4u.com [email protected]
: ESC[B12093 ? S 0:00 sshd: root@pts/0
: ESC[B12169 pts/1 S 0:00 qmail-remote yahoo.fr [email protected] hotel_lefo
: ESC[[email protected]
: ESC[B12256 pts/0 S 0:00 -bash
: ESC[B12337 ? SN 0:00 /bin/sh /etc/cron.daily/slocate.cron
: ESC[B12338 ? S 0:00 awk -v progname=/etc/cron.daily/slocate.cron progname
: ESC[B {????? print progname ":\n"????? progname="";???? }???? { print
: ESC[B; }
: ESC[B12340 ? RN 0:02 /usr/bin/updatedb -f NFS,SMBFS,NCPFS,PROC,DEVPTS -e /
: ESC[Btmp,/var/tmp,/usr/tmp,/afs,/net
: ESC[B13561 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13608 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13619 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13630 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13631 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B14114 pts/1 S 0:00 qmail-remote velox.com.br [email protected] jberic
: ESC[[email protected]
: ESC[B14467 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
: ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
: ESC[B15002 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
: ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
: ESC[B15552 pts/1 S 0:00 qmail-remote tre-to.gov.br [email protected] pagam
: ESC[[email protected]
: ESC[B15566 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
: ESC[Bb/courier-imap/bin/pop3d Maildir
: ESC[B15569 pts/1 S 0:00 qmail-remote tre-to.gov.br [email protected] Socia
: ESC[[email protected]
: ESC[B15574 ? S 0:00 plugins/chkrcptto
: ESC[B15584 pts/1 S 0:00 qmail-remote tre-mg.gov.br [email protected] sj@tr
: ESC[Be-mg.gov.br
: ESC[B15587 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
: ESC[Bb/courier-imap/bin/pop3d Maildir
: ESC[B15589 ? S 0:00 bin/qmail-inject -H --
: ESC[B15590 ? R 0:00 bin/qmail-queue
: ESC[B15592 pts/1 R 0:00 ps -ax
: ESC[B15593 pts/1 R 0:00 less
: ESC[B15594 pts/1 S 0:00 qmail-remote tre-mg.gov.br [email protected] zona0

The process listed as
perl perl.txt list.txt [email protected] Bruna
is where I think it may be coming from.
 
Thanks for the help. Thankfully the server was not compromised. I found a mail form handler that had not been updated to the latest version and that is where the spam was coming from.
 
You must log in or register to reply here.

Similar threads

R
Input Plesk HA setup
Replies
1
Views
666
gilsonsiqueira
gilsonsiqueira
nisamudeen97
Issue [email protected] failed status Ionos Ubuntu 22 Cloud
Replies
2
Views
558
nisamudeen97
nisamudeen97
G
Issue Database Malware or False Positive?
Replies
2
Views
370
Gene Steinberg
G
Z
Resolved Multi Server Plesk failover
Replies
2
Views
736
zihniates
Z
G
Question WP installs are quarantined daily.
Replies
4
Views
621
Bobbbb
B
Back
Top