• Plesk Uservoice will be deprecated by October. Moving forward, all product feature requests and improvement suggestions will be managed through our new platform Plesk Productboard.
    To continue sharing your ideas and feedback, please visit features.plesk.com

possible compromised server

B

bob2

Guest
I am having an issue where alot of spam seems to be coming from either root or localhost. I thought it may be another compromised mail form. But I am seeing a process running as perl and the following after it perl.txt list.txt and then the subject of the spam that is going out. I have searched my server for either perl.txt and list.txt and all it lists is /dev/shm/.../list.txt or the same with perl.txt. Any help would be appreciated.
 
Could it be your cronjobs sending these mails?
if so.. you could make the crontab (/etc/crontab) mail var empty like:

[root@vite opt]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
 
It isn't a cron job. I am getting random e-mail subjects that have a spanish subject and all of them are forged to look like they are coming from a .com.br domain.
 
If you check the running processes... anything strange running?

ps aux

Maybe its an idea to put your output here so i can have a look at what kind of processes are running.

You could also run a TOP process with updating every second and just see if there is something strange.

top

(typ after starting top: cas1 to get an up2date full parameter proces view)
 
And here is a ps -ax when the process was running.

PID TTY STAT TIME COMMAND
1 ? S 0:06 init
2 ? SW 0:01 [keventd]
3 ? SW 0:00 [kapmd]
4 ? SWN 0:00 [ksoftirqd/0]
7 ? SW 0:00 [bdflush]
5 ? SW 1:01 [kswapd]
6 ? SW 4:52 [kscand]
8 ? SW 0:00 [kupdated]
9 ? SW 0:00 [mdrecoveryd]
17 ? SW 0:00 [scsi_eh_0]
18 ? SW 0:00 [scsi_eh_1]
21 ? DW 11:18 [kjournald]
80 ? SW 0:00 [khubd]
488 ? SW 0:35 [kjournald]
489 ? DW 14:35 [kjournald]
3043 ? D 6:05 syslogd -m 0
3047 ? S 0:00 klogd -x
3075 ? S 0:00 portmap
3095 ? S 0:00 rpc.statd
3108 ? S 0:00 mdadm --monitor --scan -f
3179 ? S 0:00 /usr/sbin/apmd -p 10 -w 5 -W -P /etc/sysconfig/apm-sc
ripts/apmscript
3263 ? S 0:00 /usr/sbin/sshd
: ESC[B 3605 ? S 0:00 gpm -t ps/2 -m /dev/mouse
: ESC[B 3760 ? S 0:00 crond
: ESC[B 3784 ? S 0:00 xfs -droppriv -daemon
: ESC[B 3794 ? S 0:00 /usr/sbin/atd
: ESC[B 3805 ? S 0:00 rhnsd --interval 240
: ESC[B 3816 ? S 0:00 /usr/bin/python /var/mailman/bin/mailmanctl -s -q sta
: ESC[Brt
: ESC[B 3817 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Arc
: ESC[BhRunner:0:1 -s
: ESC[B 3818 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Bou
: ESC[BnceRunner:0:1 -s
: ESC[B 3819 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Com
: ESC[BmandRunner:0:1 -s
: ESC[B 3820 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Inc
: ESC[BomingRunner:0:1 -s
: ESC[B 3821 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=New
: ESC[BsRunner:0:1 -s
: ESC[B 3822 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Out
: ESC[BgoingRunner:0:1 -s
: ESC[B 3823 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Vir
: ESC[BginRunner:0:1 -s
: ESC[B 3824 ? S 0:00 /usr/bin/python /var/mailman/bin/qrunner --runner=Ret
: ESC[BryRunner:0:1 -s
: ESC[B 3832 ? S 0:00 login -- root
: ESC[B 3833 tty2 S 0:00 /sbin/mingetty tty2
: ESC[B 3834 tty3 S 0:00 /sbin/mingetty tty3
: ESC[B 3835 tty4 S 0:00 /sbin/mingetty tty4
: ESC[B 3836 tty5 S 0:00 /sbin/mingetty tty5
: ESC[B 3837 tty6 S 0:00 /sbin/mingetty tty6
: ESC[B 3840 tty1 S 0:00 -bash
: ESC[B10937 ? S 0:34 /usr/sbin/httpd -k graceful
: ESC[B 9594 ? S 0:00 sshd: root@pts/1
: ESC[B 9596 pts/1 S 0:00 -bash
: ESC[B14385 ? S 0:00 cupsd
: ESC[B16260 ? S 0:00 CROND
: ESC[B16261 ? S 0:00 /bin/bash /usr/bin/run-parts /etc/cron.daily
: ESC[B17550 ? S 0:00 bin/qmail-inject -a -- root
: ESC[B17551 ? S 0:00 bin/qmail-queue
: ESC[B20162 ? S 0:04 xinetd -stayalive -pidfile /var/run/xinetd.pid
: ESC[B20175 ? S 0:00 /usr/sbin/named -u named -c /etc/named.conf -u named
: ESC[B-t /var/named/run-root
: ESC[B20192 ? S 0:00 /bin/sh /usr/bin/safe_mysqld --defaults-file=/etc/my.
: ESC[Bcnf
: ESC[B20223 ? S 0:46 qmail-rspawn
: ESC[B20229 ? S 2:26 /usr/libexec/mysqld --defaults-file=/etc/my.cnf --bas
: ESC[Bedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysql
: ESC[Bd.pid --skip-locking
: ESC[B20261 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd -
: ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143
: ESC[B/usr/lib/courier-imap/sbin/imaplogin /usr/lib/courier-imap/libexec/authlib/authp
: ESC[B20267 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd
: ESC[B20273 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=imapd-s
: ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/imapd-ssl.pid -nodnslookup -noidentloo
: ESC[Bkup 993 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
: ESC[B20275 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger imapd-ssl
: ESC[B20283 ? S 0:05 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d -
: ESC[Bmaxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110
: ESC[B/usr/lib/courier-imap/sbin/pop3login /usr/lib/courier-imap/libexec/authlib/authp
: ESC[B20286 ? S 0:02 /usr/lib/courier-imap/sbin/courierlogger pop3d
: ESC[B20294 ? S 0:00 /usr/lib/courier-imap/libexec/couriertcpd -address=0
: ESC[B-stderrlogger=/usr/lib/courier-imap/sbin/courierlogger -stderrloggername=pop3d-s
: ESC[Bsl -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d-ssl.pid -nodnslookup -noidentloo
: ESC[Bkup 995 /usr/lib/courier-imap/bin/couriertls -server -tcpd /usr/lib/courier-imap
: ESC[B20296 ? S 0:00 /usr/lib/courier-imap/sbin/courierlogger pop3d-ssl
: ESC[B20360 ? S 0:00 /usr/bin/spamd -d -c -a -m5 -H
: ESC[B20377 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
: ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_full.pid --sock
: ESC[Betpath=/tmp/spamd_full.sock --siteconfigpath=/dev/null
: ESC[B20386 ? S 0:00 /usr/bin/spamd --username=popuser --daemonize --helpe
: ESC[Br-home-dir=/var/qmail --max-children 20 --pidfile=/var/run/spamd_light.pid --soc
: ESC[Bketpath=/tmp/spamd_light.sock
: ESC[B20442 ? S 0:06 /usr/java/j2sdk1.4.2/bin/java -Djava.endorsed.dirs= -
: ESC[Bclasspath /usr/java/j2sdk1.4.2/lib/tools.jar:/var/tomcat4/bin/bootstrap.jar -Dja
: ESC[Bva.security.manager -Djava.security.policy==/var/tomcat4/conf/catalina.policy -D
: ESC[Bcatalina.base=/var/tomcat4 -Dcatalina.home=/var/tomcat4 -Djava.io.tmpdir=/var/to
: ESC[B20526 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B20537 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20542 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20544 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20545 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20547 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B20548 ? S 0:00
 
Here is the rest.

/usr/local/psa/admin/bin/httpsd
: ESC[B 5973 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B15028 ? S 0:01 /usr/sbin/httpd -k graceful
: ESC[B24379 ? S 0:01 /usr/sbin/httpd -k graceful
: ESC[B29126 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29207 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29466 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29586 ? S 0:00 /usr/local/psa/admin/bin/httpsd
: ESC[B29655 ? Z 0:00 [httpsd <defunct>]
: ESC[B29856 ? Z 0:00 [httpsd <defunct>]
: ESC[B32616 ? Z 0:00 [sh <defunct>]
: ESC[B32624 ? S 0:00 inetd
: ESC[B 7057 ? S 1:30 perl perl.txt list.txt bferrari_19@isbt.com.br Bruna
: ESC[BFerrari te envio uma mensagem. car.htm
: ESC[B11321 ? S 0:07 proftpd: hamcam - 12.150.233.82: IDLE
: ESC[B23644 ? S 0:00 qmail-remote apsa.com.br root@plesk.sonet.net cmachad
: ESC[Bo@apsa.com.br
: ESC[B28452 ? S 0:00 qmail-remote sirat.com.br root@plesk.sonet.net comerc
: ESC[Bial@sirat.com.br
: ESC[B 2004 ? S 0:00 qmail-remote vapnet.com.br root@plesk.sonet.net cftp@
: ESC[Bvapnet.com.br
: ESC[B 3454 ? S 0:00 qmail-remote brfree.com.br root@plesk.sonet.net china
: ESC[Bmetal@brfree.com.br
: ESC[B 4540 ? S 0:00 qmail-remote geocities.com root@plesk.sonet.net chris
: ESC[Blov@geocities.com
: ESC[B 5427 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net chui@y
: ESC[Bahoo.com.br
: ESC[B 9049 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net cintia
: ESC[B_linda@yahoo.com.br
: ESC[B16919 ? S 0:00 qmail-remote berneck.com.br root@plesk.sonet.net coml
: ESC[B@berneck.com.br
: ESC[B18846 ? S 0:00 qmail-remote cdlnet.com.br root@plesk.sonet.net conta
: ESC[Bdor@cdlnet.com.br
: ESC[B22201 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B24661 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net cgrafi
: ESC[Bca@yahoo.com.br
: ESC[B25424 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net chalme
: ESC[Bs@yahoo.com.br
: ESC[B29897 ? S 0:00 qmail-remote geocities.com root@plesk.sonet.net cinho
: ESC[B@geocities.com
: ESC[B31965 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net cinw@uol
: ESC[B.com.br
: ESC[B 2907 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net claudia.
: ESC[Bsr@uol.com.br
: ESC[B 2973 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net claytonc
: ESC[B@uol.com.br
: ESC[B 3251 ? S 0:00 qmail-remote estacio.br root@plesk.sonet.net cleyde@e
: ESC[Bstacio.br
: ESC[B 3747 ? S 0:00 qmail-remote uol.com.br root@plesk.sonet.net cleitona
: ESC[Bndre@uol.com.br
: ESC[B 9101 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net cattt_
: ESC[Bwoman@yahoo.com.br
: ESC[B 9312 ? S 0:00 qmail-remote larsoft.com.br root@plesk.sonet.net cont
: ESC[Babil.maranata@larsoft.com.br
: ESC[B11253 ? S 0:00 qmail-remote yahoo.com.br root@plesk.sonet.net celsos
: ESC[Br2@yahoo.com.br
: ESC[B11640 pts/1 D 0:06 qmail-send
: ESC[B11642 pts/1 S 0:00 splogger qmail
: ESC[B11643 pts/1 S 0:00 qmail-lspawn ./Maildir/
: ESC[B11644 pts/1 S 0:00 qmail-rspawn
: ESC[B11645 pts/1 S 0:00 qmail-clean
: ESC[B11821 pts/1 S 0:00 qmail-remote my.love.djidai.com zenbavermae@my.love.
: ESC[Bdjidai.com
: ESC[B11907 pts/1 S 0:00 qmail-remote my.maxi4u.com dontaylor@my.maxi4u.com
: ESC[B12093 ? S 0:00 sshd: root@pts/0
: ESC[B12169 pts/1 S 0:00 qmail-remote yahoo.fr root@plesk.sonet.net hotel_lefo
: ESC[Buta@yahoo.fr
: ESC[B12256 pts/0 S 0:00 -bash
: ESC[B12337 ? SN 0:00 /bin/sh /etc/cron.daily/slocate.cron
: ESC[B12338 ? S 0:00 awk -v progname=/etc/cron.daily/slocate.cron progname
: ESC[B {????? print progname ":\n"????? progname="";???? }???? { print
: ESC[B; }
: ESC[B12340 ? RN 0:02 /usr/bin/updatedb -f NFS,SMBFS,NCPFS,PROC,DEVPTS -e /
: ESC[Btmp,/var/tmp,/usr/tmp,/afs,/net
: ESC[B13561 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13608 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13619 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13630 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B13631 ? S 0:00 /usr/sbin/httpd -k graceful
: ESC[B14114 pts/1 S 0:00 qmail-remote velox.com.br root@plesk.sonet.net jberic
: ESC[Beira@velox.com.br
: ESC[B14467 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
: ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
: ESC[B15002 ? S 0:00 /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /
: ESC[Bvar/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true
: ESC[B15552 pts/1 S 0:00 qmail-remote tre-to.gov.br root@plesk.sonet.net pagam
: ESC[Bentopessoal@tre-to.gov.br
: ESC[B15566 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
: ESC[Bb/courier-imap/bin/pop3d Maildir
: ESC[B15569 pts/1 S 0:00 qmail-remote tre-to.gov.br root@plesk.sonet.net Socia
: ESC[Blcomunicacaosocial@tre-to.gov.br
: ESC[B15574 ? S 0:00 plugins/chkrcptto
: ESC[B15584 pts/1 S 0:00 qmail-remote tre-mg.gov.br root@plesk.sonet.net sj@tr
: ESC[Be-mg.gov.br
: ESC[B15587 ? S 0:00 /usr/lib/courier-imap/libexec/authlib/authpsa /usr/li
: ESC[Bb/courier-imap/bin/pop3d Maildir
: ESC[B15589 ? S 0:00 bin/qmail-inject -H --
: ESC[B15590 ? R 0:00 bin/qmail-queue
: ESC[B15592 pts/1 R 0:00 ps -ax
: ESC[B15593 pts/1 R 0:00 less
: ESC[B15594 pts/1 S 0:00 qmail-remote tre-mg.gov.br root@plesk.sonet.net zona0

The process listed as
perl perl.txt list.txt ferrari_19@isbt.com.br Bruna
is where I think it may be coming from.
 
Thanks for the help. Thankfully the server was not compromised. I found a mail form handler that had not been updated to the latest version and that is where the spam was coming from.
 
You must log in or register to reply here.

Similar threads

E
Question Is multiple HELO registration possible?
Replies
2
Views
965
emrekoc
E
M
Question How to configure phpMyAdmin config.inc.php properly to connect to other DB servers in Docker container
Replies
0
Views
326
milanbx
M
D
Issue Issues with Subscription Transfer in Plesk: "Permission Denied" and Partition Usage Concerns
Replies
1
Views
826
Nikolay
Nikolay
abanico
Issue Cannot upgrade Plesk, error with mariadb-maxscale in installer
Replies
4
Views
1K
Raul A.
R
M
Question How to install additional PHP modules / Extensions
Replies
2
Views
896
MHC_1
M
Back
Top