Article 6078 at 06/07/22 22:23:01 From: bq (at mark) solarspeed.net Subject: [coba-e:06078] Re: Lots of mail what to do

Index: [Article Count Order] [Thread]
Date:  Sat, 22 Jul 2006 15:22:05 +0200
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:06078] Re: Lots of mail what to do
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200607221522.05964.bq (at mark) solarspeed.net>
In-Reply-To:  <1c8401c6ad73$51d42620$9a00000a@pc11>
References:  <1c8401c6ad73$51d42620$9a00000a@pc11>
X-Mail-Count: 06078

Hi Steffan,

> Jul 22 06:10:45 server14 sendmail[30737]: k6M4AjOs030737:
> from=<admin (at mark) server14.xxx>, size=3410, class=0, nrcpts=1,
> msgid=<200607220410.k6M4Aj0W030715 (at mark) server14.xxx>, proto=ESMTP, daemon=MTA,
> relay=localhost [127.0.0.1]

It's most likely a vulnerable PHP script that is exploited to send emails.

If the script in question is still running, then there is a good chance of 
catching it with the command "lsof -n |grep /home./sites". That command will 
show you which files located in and under /home./sites are currently open and 
being executed.

OTOH ... it could be that the script has finished running and the emails that 
are still being sent out are just the ones that got stuck in your sendmail 
mailqueue - for later sending.

Also check your /tmp/ directory for files owned by user "apache". The files 
starting with "sess_" are usually PHP session files and should be ok. But 
anything else in /tmp owned by user "apache" should be looked at in this case 
where an exploit is likely.

-- 

With best regards,

Michael Stauber