• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.

Spammail sent by apache

J

Jamai2

Guest
I am having problems with Apache sending out 30.000 emails sometimes, I can see in my logfiles that it is sent by the user that is Apache, but more I can not see.

Since I have a few hundred sites on the server, it is hard to find out which site send it out if I have no clues. All I know is the time that it got sent.

Does anybody have instructions on how to easily find which site is responsible for sending out this spam?

The headers look like this:

Received: (qmail 28393 invoked by uid 48); 13 Apr 2006 21:53:26 +0200
Date: 13 Apr 2006 21:53:26 +0200
Message-ID: <20060413195326.28392.qmail@my.hostname.com>
To: htbtrdrs@yahoo.com
Subject: Your account access has been limited
From: Chase Bank <customerservice@chase.com>
Reply-To:
Click to expand...
 
It is likely that one of your hosted domains has been hacked, I would take a look at this thread.

1. Look for unusual processes running as apache.
2. Once identified, use "readlink" to see where the binary is located.
3. Build tct and run the pcat command, to dump the processes memory. Use strings to see if you can lift something from the environment. As an alternative to pcat, try doing cat /proc/<pid>/environ |strings -- Hopefully the PWD environment variable of the process can lead you to a domain.

If we are talking about 30K worth of emails, it is LIKELY a hacked domain. It may be because of a Mambo/Joomla, PostNuke, phpAds, etc vulnerability. There is a few of them that are being attacked by worms.
 
You must log in or register to reply here.

Similar threads

mapodec
Resolved Emails sent from Plesk accounts are not delivering only to Google Workspace
Replies
2
Views
776
mapodec
mapodec
EnriqueR
Question Incoming mail is stored in Junk folder
Replies
6
Views
1K
EnriqueR
EnriqueR
Bitpalast
Forwarded to devs Spamassassin ignores mails to mailboxes that contain an ampersand, e.g. d&s@recipientdomain.tld
Replies
9
Views
2K
Bitpalast
Bitpalast
D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
2K
drdna
D
S
Issue Outgoing emails get rejected - User not allowed to send Emails
Replies
6
Views
2K
Stephan.FediCom
S
Back
Top