At this point you need to determine both the source of the emails and how the infection occurred. Failure to do so will greatly limit your ability to prevent it from recurring.
Here at LQ-Security, we follow the dated but still useful
CERT Intruder Detection Checklist. In performing this process, you will want to disturb the system as little as possible. Do not power cycle it, do not reboot, do not try to "clean" it. Your absolute best option is to isolate the machine by either removing the network cable or raising a firewall so that it is accessible from a trusted location only. Attempting to operate the machine while investigating will only make your process harder and it may tip off the intruder as to the fact that they have been "made" causing them to either cover their tracks or destroy on their way out.
While proceeding be sure take make notes of what you are doing and keep a log/journal. Once you have secured the machine as much as possible, there are five things that I would like you to start focusing on:
1 - think back and make notes regarding when the problem started occuring. Did anything notable happen about that time, did you make any changes, etc. Also, what distribution are you running, what revision level? What server and content manager applications are you running (e.g. Apache, SSH, FTP, atmail, CPanal, plex, nagios) and what revision level. What would you say the overall patch state of the system is? Do you routinely apply updates? Do you have any sort of intrusion prevent software in place, e.g. Aide or Ossec? Do you use a firewall to close unused ports and are you running SELinux?
2 - capture a snapshot of the process tree, network connections, and open files. Be sure to run this command as root, else it will miss important process information that will help to link the pieces together.
Code:
(ps acxfwwwe 2>&1; lsof -Pwln 2>&1; netstat -anpe 2>&1; lastlog 2>&1; last 2>&1; who -a 2>&1 ) > /tmp/log.txt
3 - perform a detailed analysis of your log files. The best way to get started with this is to use the tool logwatch. From a known safe machine, download a copy of it and then transfer it to this host. Use the following command. Again, run it as root or else you won't be able to access all of the log files (this works on Centos, for debian you may need to use the --save /path to log instead of > redirect):
Code:
logwatch --detail High --service All --range All --archives --numeric > /path/to/logwatch.log
4 - Using the Cert checklist, perform the steps for finding hidden files and scripts (step 9). Pay particular attention to /dev, /temp/, and /proc. Also look for any files with setuid or setgid (step 2), check all of the cron and at tables for modifications (be sure to look in /var/spool/cron).
5 - Try to verify your system binaries. Since you are using Centos use RPM -vV.