1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Spammail sent by apache

Discussion in 'Plesk for Linux - 8.x and Older' started by Jamai2, Apr 15, 2006.

  1. Jamai2

    Jamai2 Guest

    I am having problems with Apache sending out 30.000 emails sometimes, I can see in my logfiles that it is sent by the user that is Apache, but more I can not see.

    Since I have a few hundred sites on the server, it is hard to find out which site send it out if I have no clues. All I know is the time that it got sent.

    Does anybody have instructions on how to easily find which site is responsible for sending out this spam?

    The headers look like this:

  2. wagnerch

    wagnerch Guest

    It is likely that one of your hosted domains has been hacked, I would take a look at this thread.

    1. Look for unusual processes running as apache.
    2. Once identified, use "readlink" to see where the binary is located.
    3. Build tct and run the pcat command, to dump the processes memory. Use strings to see if you can lift something from the environment. As an alternative to pcat, try doing cat /proc/<pid>/environ |strings -- Hopefully the PWD environment variable of the process can lead you to a domain.

    If we are talking about 30K worth of emails, it is LIKELY a hacked domain. It may be because of a Mambo/Joomla, PostNuke, phpAds, etc vulnerability. There is a few of them that are being attacked by worms.
  3. bandurao

    bandurao Guest