Hello.
I would like your help. My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.
Here is a sample of it:
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: Handlers Filter before-remote for qmail started ...
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: from=root@acv360.com
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: to=frnklnjac7@aol.com
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: hook_dir = '/usr/local/psa/handlers/before-remote'
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: recipient[3] = 'frnklnjac7@aol.com'
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: handlers dir = '/usr/local/psa/handlers/before-remote/recipient/frnklnjac7@aol.com'
Jan 4 00:47:10 acv360 qmail: 1294098430.077707 starting delivery 22: msg 35096084 to remote
frnklnjac7@aol.com
Jan 4 00:47:10 acv360 qmail: 1294098430.077800 status: local 0/10 remote 2/20
It is not an apache issue, because I had tried to stop apache when these emails have been sent but nothing changed. Also I cannot find any suspicious script running using ps xaf command.
Also every 5 minutes or so, I see these messages:
Jan 4 00:51:53 acv360 pop3d: Connection, ip=[209.85.213.27]
Jan 4 00:51:59 acv360 pop3d: IMAP connect from @ [209.85.213.27]ERR: LOGIN FAILED, ip=[209.85.213.27]
The IP usually changes, but all of them are from Google. I don't if that has something to do with the spam emails
I would appreciate your help
Thank you,
Dennis