• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

possible compromised server

B

bob2

Guest
I am having an issue where alot of spam seems to be coming from either root or localhost. I thought it may be another compromised mail form. But I am seeing a process running as perl and the following after it perl.txt list.txt and then the subject of the spam that is going out. I have searched my server for either perl.txt and list.txt and all it lists is /dev/shm/.../list.txt or the same with perl.txt. Any help would be appreciated.
 
Could it be your cronjobs sending these mails?
if so.. you could make the crontab (/etc/crontab) mail var empty like:

[root@vite opt]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
 
It isn't a cron job. I am getting random e-mail subjects that have a spanish subject and all of them are forged to look like they are coming from a .com.br domain.
 
If you check the running processes... anything strange running?

ps aux

Maybe its an idea to put your output here so i can have a look at what kind of processes are running.

You could also run a TOP process with updating every second and just see if there is something strange.

top

(typ after starting top: cas1 to get an up2date full parameter proces view)
 
And here is a ps -ax when the process was running.

PID TTY STAT TIME COMMAND
1 ? S 0:06 init
2 ? SW 0:01 [keventd]
3 ? SW 0:00 [kapmd]
4 ? SWN 0:00 [ksoftirqd/0]
7 ? SW 0:00 [bdflush]
5 ? SW 1:01 [kswapd]
6 ? SW 4:52 [kscand]
8 ? SW 0:00 [kupdated]
9 ? SW 0:00 [mdrecoveryd]
17 ? SW 0:00 [scsi_eh_0]
18 ? SW 0:00 [scsi_eh_1]
21 ? DW 11:18 [kjournald]
80 ? SW 0:00 [khubd]
488 ? SW 0:35 [kjournald]
489 ? DW 14:35 [kjournald]
3043 ? D 6:05 syslogd -m 0
3047 ? S 0:00 klogd -x
3075 ? S 0:00 portmap
3095 ? S 0:00 rpc.statd
3108 ? S 0:00 mdadm --monitor --scan -f
3179 ? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-sc
ripts/apmscript
3263 ? S 0:00 /usr/sbin/sshd
: ESC[B 3605 ? S 0:00 gpm -t ps/2 -m /dev/mouse
: ESC[B 3760 ? S 0:00 crond
: ESC[B 3784 ? S 0:00 xfs -droppriv -daemon
: ESC[B 3794 ? S 0:00 /usr/sbin/atd
: ESC[B 3805 ? S 0:00 rhnsd --interval 240
: ESC[B 3816 ? S 0:00 /usr/bin/python /var/mailman/bin/mailmanctl -s -q sta
: ESC[Brt
: ESC[B 3817 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Arc
: ESC[BhRunner:0:1 -s
: ESC[B 3818 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Bou
: ESC[BnceRunner:0:1 -s
: ESC[B 3819 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Com
: ESC[BmandRunner:0:1 -s
: ESC[B 3820 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Inc
: ESC[BomingRunner:0:1 -s
: ESC[B 3821 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=New
: ESC[BsRunner:0:1 -s
: ESC[B 3822 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Out
: ESC[BgoingRunner:0:1 -s
: ESC[B 3823 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Vir
: ESC[BginRunner:0:1 -s
: ESC[B 3824 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Ret
: ESC[BryRunner:0:1 -s
: ESC[B 3832 ? S 0:00 login -- root
: ESC[B 3833 tty2 S 0:00 /sbin/mingetty tty2
: ESC[B 3834 tty3 S 0:00 /sbin/mingetty tty3
: ESC[B 3835 tty4 S 0:00 /sbin/mingetty tty4
: ESC[B 3836 tty5 S 0:00 /sbin/mingetty tty5
: ESC[B 3837 tty6 S 0:00 /sbin/mingetty tty6
: ESC[B 3840 tty1 S 0:00 -bash
: ESC[B10937 ? S 0:34 /usr/sbin/httpd -k graceful
: ESC[B 9594 ? S 0:00 sshd: root@pts/1
: ESC[B 9596 pts/1 S 0:00 -bash
: ESC[B14385 ? S 0:00 cupsd
: ESC[B16260 ? S 0:00 CROND
: ESC[B16261 ? S 0:00 /bin/bash /usr/bin/run-parts /etc/cron.daily
: ESC[B17550 ? S 0:00 bin/qmail-inject -a -- root
: ESC[B17551 ? S 0:00 bin/qmail-queue
: ESC[B20162 ? S 0:04 xinetd -stayalive -pidfile /var/run/xinetd.pid
: ESC[B20175 ? S 0:00 /usr/sbin/named -u named -c /etc/named.conf -u named
: ESC[B-t /var/named/run-root
: ESC[B20192 ? S 0:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.
: ESC[Bcnf
: ESC[B20223 ? S 0:46 qmail-rspawn
: ESC[B20229 ? S 2:26 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --bas
: ESC[Bedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysql
: ESC[Bd.pid --skip-locking
: ESC[B20261 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd -
: ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143
: ESC[B/usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/libexec/authlib/authp
: ESC[B20267 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd
: ESC[B20273 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd-s
: ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentloo
: ESC[Bkup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
: ESC[B20275 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd-ssl
: ESC[B20283 ? S 0:05 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d -
: ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110
: ESC[B/usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/libexec/authlib/authp
: ESC[B20286 ? S 0:02 /usr/lib/courier-imap/sbin/courierlogger pop3d
: ESC[B20294 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d-s
: ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentloo
: ESC[Bkup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
: ESC[B20296 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger pop3d-ssl
: ESC[B20360 ? S 0:00 /usr/bin/spamd -d -c -a -m5 -H
: ESC[B20377 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
: ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_full.pid --sock
: ESC[Betpath=/tmp/spamd_full.sock --siteconfigpath=/dev/null
: ESC[B20386 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
: ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_light.pid --soc
: ESC[Bketpath=/tmp/spamd_light.sock
: ESC[B20442 ? S 0:06 /usr/java/j2sdk1.4.2/bin/java -Djava.endorsed.dirs= -
: ESC[Bclasspath /usr/java/j2sdk1.4.2/lib/tools.jar:/var/tomcat4/bin/bootstrap.jar -Dja
: ESC[Bva.security.manager -Djava.security.policy==/var/tomcat4/conf/catalina.policy -D
: ESC[Bcatalina.base=/var/tomcat4 -Dcatalina.home=/var/tomcat4 -Djava.io.tmpdir=/var/to
: ESC[B20526 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B20537 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20542 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20544 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20545 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20547 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20548 ? S 0:00
 
Here is the rest.

/usr/local/psa/admin/bin/httpsd
: ESC[B 5973 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B15028 ? S 0:01 /usr/sbin/httpd -k graceful
: ESC[B24379 ? S 0:01 /usr/sbin/httpd -k graceful
: ESC[B29126 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29207 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29466 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29586 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29655 ? Z 0:00 [httpsd <defunct>]
: ESC[B29856 ? Z 0:00 [httpsd <defunct>]
: ESC[B32616 ? Z 0:00 [sh <defunct>]
: ESC[B32624 ? S 0:00 inetd
: ESC[B 7057 ? S 1:30 perl perl.txt list.txt [email protected] Bruna
: ESC[BFerrari te envio uma mensagem. car.htm
: ESC[B11321 ? S 0:07 proftpd: hamcam - 12.150.233.82: IDLE
: ESC[B23644 ? S 0:00 qmail-remote apsa.com.br [email protected] cmachad
: ESC[[email protected]
: ESC[B28452 ? S 0:00 qmail-remote sirat.com.br [email protected] comerc
: ESC[[email protected]
: ESC[B 2004 ? S 0:00 qmail-remote vapnet.com.br [email protected] cftp@
: ESC[Bvapnet.com.br
: ESC[B 3454 ? S 0:00 qmail-remote brfree.com.br [email protected] china
: ESC[[email protected]
: ESC[B 4540 ? S 0:00 qmail-remote geocities.com [email protected] chris
: ESC[[email protected]
: ESC[B 5427 ? S 0:00 qmail-remote yahoo.com.br [email protected] chui@y
: ESC[Bahoo.com.br
: ESC[B 9049 ? S 0:00 qmail-remote yahoo.com.br [email protected] cintia
: ESC[[email protected]
: ESC[B16919 ? S 0:00 qmail-remote berneck.com.br [email protected] coml
: ESC[[email protected]
: ESC[B18846 ? S 0:00 qmail-remote cdlnet.com.br [email protected] conta
: ESC[[email protected]
: ESC[B22201 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B24661 ? S 0:00 qmail-remote yahoo.com.br [email protected] cgrafi
: ESC[[email protected]
: ESC[B25424 ? S 0:00 qmail-remote yahoo.com.br [email protected] chalme
: ESC[[email protected]
: ESC[B29897 ? S 0:00 qmail-remote geocities.com [email protected] cinho
: ESC[[email protected]
: ESC[B31965 ? S 0:00 qmail-remote uol.com.br [email protected] cinw@uol
: ESC[B.com.br
: ESC[B 2907 ? S 0:00 qmail-remote uol.com.br [email protected] claudia.
: ESC[[email protected]
: ESC[B 2973 ? S 0:00 qmail-remote uol.com.br [email protected] claytonc
: ESC[[email protected]
: ESC[B 3251 ? S 0:00 qmail-remote estacio.br [email protected] cleyde@e
: ESC[Bstacio.br
: ESC[B 3747 ? S 0:00 qmail-remote uol.com.br [email protected] cleitona
: ESC[[email protected]
: ESC[B 9101 ? S 0:00 qmail-remote yahoo.com.br [email protected] cattt_
: ESC[[email protected]
: ESC[B 9312 ? S 0:00 qmail-remote larsoft.com.br [email protected] cont
: ESC[[email protected]
: ESC[B11253 ? S 0:00 qmail-remote yahoo.com.br [email protected] celsos
: ESC[[email protected]
: ESC[B11640 pts/1 D 0:06 qmail-send
: ESC[B11642 pts/1 S 0:00 splogger qmail
: ESC[B11643 pts/1 S 0:00 qmail-lspawn ./Maildir/
: ESC[B11644 pts/1 S 0:00 qmail-rspawn
: ESC[B11645 pts/1 S 0:00 qmail-clean
: ESC[B11821 pts/1 S 0:00 qmail-remote my.love.djidai.com [email protected].
: ESC[Bdjidai.com
: ESC[B11907 pts/1 S 0:00 qmail-remote my.maxi4u.com [email protected]
: ESC[B12093 ? S 0:00 sshd: root@pts/0
: ESC[B12169 pts/1 S 0:00 qmail-remote yahoo.fr [email protected] hotel_lefo
: ESC[[email protected]
: ESC[B12256 pts/0 S 0:00 -bash
: ESC[B12337 ? SN 0:00 /bin/sh /etc/cron.daily/slocate.cron
: ESC[B12338 ? S 0:00 awk -v progname=/etc/cron.daily/slocate.cron progname
: ESC[B {????? print progname ":\n"????? progname="";???? }???? { print
: ESC[B; }
: ESC[B12340 ? RN 0:02 /usr/bin/updatedb -f NFS,SMBFS,NCPFS,PROC,DEVPTS -e /
: ESC[Btmp,/var/tmp,/usr/tmp,/afs,/net
: ESC[B13561 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13608 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13619 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13630 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13631 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B14114 pts/1 S 0:00 qmail-remote velox.com.br [email protected] jberic
: ESC[[email protected]
: ESC[B14467 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
: ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
: ESC[B15002 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
: ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
: ESC[B15552 pts/1 S 0:00 qmail-remote tre-to.gov.br [email protected] pagam
: ESC[[email protected]
: ESC[B15566 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
: ESC[Bb/courier-imap/bin/pop3d Maildir
: ESC[B15569 pts/1 S 0:00 qmail-remote tre-to.gov.br [email protected] Socia
: ESC[[email protected]
: ESC[B15574 ? S 0:00 plugins/chkrcptto
: ESC[B15584 pts/1 S 0:00 qmail-remote tre-mg.gov.br [email protected] sj@tr
: ESC[Be-mg.gov.br
: ESC[B15587 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
: ESC[Bb/courier-imap/bin/pop3d Maildir
: ESC[B15589 ? S 0:00 bin/qmail-inject -H --
: ESC[B15590 ? R 0:00 bin/qmail-queue
: ESC[B15592 pts/1 R 0:00 ps -ax
: ESC[B15593 pts/1 R 0:00 less
: ESC[B15594 pts/1 S 0:00 qmail-remote tre-mg.gov.br [email protected] zona0

The process listed as
perl perl.txt list.txt [email protected] Bruna
is where I think it may be coming from.
 
Thanks for the help. Thankfully the server was not compromised. I found a mail form handler that had not been updated to the latest version and that is where the spam was coming from.
 
You must log in or register to reply here.

Similar threads

E
Question Is multiple HELO registration possible?
Replies
2
Views
633
emrekoc
E
D
Issue Issues with Subscription Transfer in Plesk: "Permission Denied" and Partition Usage Concerns
Replies
1
Views
585
Nikolay
Nikolay
abanico
Issue Cannot upgrade Plesk, error with mariadb-maxscale in installer
Replies
4
Views
544
Raul A.
R
M
Question How to install additional PHP modules / Extensions
Replies
2
Views
344
MHC_1
M
C
Question Monitoring a Plesk Server (services, domains, etc.) with Zabbix
Replies
2
Views
818
Faris Raouf
F
Back
Top