• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Spammail sent by apache

J

Jamai2

Guest
I am having problems with Apache sending out 30.000 emails sometimes, I can see in my logfiles that it is sent by the user that is Apache, but more I can not see.

Since I have a few hundred sites on the server, it is hard to find out which site send it out if I have no clues. All I know is the time that it got sent.

Does anybody have instructions on how to easily find which site is responsible for sending out this spam?

The headers look like this:

Received: (qmail 28393 invoked by uid 48); 13 Apr 2006 21:53:26 +0200
Date: 13 Apr 2006 21:53:26 +0200
Message-ID: <[email protected]>
To: [email protected]
Subject: Your account access has been limited
From: Chase Bank <[email protected]>
Reply-To:
 
It is likely that one of your hosted domains has been hacked, I would take a look at this thread.

1. Look for unusual processes running as apache.
2. Once identified, use "readlink" to see where the binary is located.
3. Build tct and run the pcat command, to dump the processes memory. Use strings to see if you can lift something from the environment. As an alternative to pcat, try doing cat /proc/<pid>/environ |strings -- Hopefully the PWD environment variable of the process can lead you to a domain.

If we are talking about 30K worth of emails, it is LIKELY a hacked domain. It may be because of a Mambo/Joomla, PostNuke, phpAds, etc vulnerability. There is a few of them that are being attacked by worms.
 
Back
Top