User email compromised

[merkelt]

I have over 1200 pending outgoing messages in my queue to various domains in Russia. I set each of the 10 domains I host to "reject nonexistant user", cleared the queue, and still messages seem to be queueing up!

I think I have found the IP(s) address the messages are comming from useing /var/log/secure. However, I have not able to see "who" is sending them as I have SMTP auth enabled as well. My guess is that one of my users username and password has been compromised.

Can anybody tell me how to disocver what username and password where used to send an email?

Thanks in advance for the help!

 

[ShadowMan@]

You should check for exploitable scripts (formmail, phpBB, etc) and for any strange files (or hidden dir's/files) in /tmp

More than likely it may not be an actual mail user account that has been compromised, but rather one of the above.

Install RKHunter and CHKRootkit, update them and run them. Post the results.

Install mod_security (gotroot.com) and their rulesets.

(This is just the beginning steps you should take)