Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am managing a web/email server and have run into a problem.
My server is running Ubuntu 10.04
It is set up so that the user: web, maintains a set of webpages hosted on the server.
For some reason, periodically throughout the day, the web user calls sendmail and sends an empty message to an email address(not on this server). It is always the same email address, and I know who it is sending to, we just cant figure out why it is doing it.
So far, I have: Changed the web account password, locked the web account, set its shell to /bin/false to prevent sshing.
No one is logged in to the web user.
There are no cron jobs listed by the web user.
If I run: ps aux | grep web, the only thing that web user runs is the periodic sendmail command.
I'm thinking perhaps on some webpage someone has a form that sends an email that is being spammed, but I havent been able to find that yet.
Does anyone have any other insight on what may be causing this, or other places to look to see why the user keeps calling sendmail?
(I cant delete the web user because it handles the webpages...)
Some CMS applications (like WordPress) also have a pseudo-cron where access to a web page can set off internal "jobs". Same could be happening if you're using a third-party library within your websites that's set to mail home every so often.
Thanks for the quick replies. I've been trying to run lsof when the mail is actually being sent, but it has been tricky trying to catch the process in action.
I dont have any CMSs running through the web user so I dont think that would be the problem. But if I am missing something, it should be a pretty routine consistent frequency of emails being sent out right? like equally spaced in time? I just ask because last week, I removed about 30k of these emails from the queue over the course of 3 days. This week, for whatever reason, I have only had about 200 for the whole week, which makes it a little more difficult to investigate.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.