SPAM attack

seta666 · 05-23-2016, 07:55 AM

Hi everyone, im runing debian vps server on OVH and a recive email that my ip is sending spam and they blocked me port 25. I'm checking my mail logs and file grow very fast and on log i see that i have big queue with emails to random email users i checked list of procceses and there is this list:
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 kthreadd
3 ? 00:00:00 ksoftirqd/0
5 ? 00:00:00 kworker/u:0
6 ? 00:00:00 migration/0
7 ? 00:00:00 watchdog/0
8 ? 00:00:00 cpuset
9 ? 00:00:00 khelper
10 ? 00:00:00 kdevtmpfs
11 ? 00:00:00 netns
12 ? 00:00:00 sync_supers
13 ? 00:00:00 bdi-default
14 ? 00:00:00 kintegrityd
15 ? 00:00:00 kblockd
17 ? 00:00:00 khungtaskd
18 ? 00:00:00 kswapd0
19 ? 00:00:00 ksmd
20 ? 00:00:00 khugepaged
21 ? 00:00:00 fsnotify_mark
22 ? 00:00:00 crypto
116 ? 00:00:00 khubd
119 ? 00:00:00 ata_sff
121 ? 00:00:00 scsi_eh_0
126 ? 00:00:00 scsi_eh_1
129 ? 00:00:00 kworker/u:1
157 ? 00:00:01 kjournald
318 ? 00:00:00 udevd
398 ? 00:00:00 udevd
410 ? 00:00:00 udevd
428 ? 00:00:00 kpsmoused
438 ? 00:00:01 kworker/0:2
461 ? 00:00:00 vballoon
665 ? 00:00:00 flush-254:0
1626 ? 00:00:00 dhclient
1946 ? 00:00:01 rsyslogd
2012 ? 00:00:01 /usr/sbin/amavi
2033 ? 00:00:00 apache2
2038 ? 00:00:00 vlogger (access
2040 ? 00:00:00 apache2
2062 ? 00:00:00 apache2
2063 ? 00:00:00 apache2
2064 ? 00:00:00 apache2
2065 ? 00:00:00 apache2
2066 ? 00:00:00 apache2
2403 ? 00:00:00 clamd
2535 ? 00:00:04 freshclam
2578 ? 00:00:00 cron
2609 ? 00:00:00 dbus-daemon
2640 ? 00:00:00 mailmanctl
2641 ? 00:00:00 python
2642 ? 00:00:00 python
2643 ? 00:00:00 python
2644 ? 00:00:00 python
2645 ? 00:00:00 python
2646 ? 00:00:00 python
2647 ? 00:00:00 python
2648 ? 00:00:00 python
2698 ? 00:00:00 mysqld_safe
3026 ? 00:00:08 mysqld
3027 ? 00:00:00 logger
3144 ? 00:00:00 dovecot
3156 ? 00:00:00 anvil
3157 ? 00:00:00 log
3195 ? 00:00:00 pure-ftpd-mysql
3209 ? 00:00:01 /usr/sbin/spamd
3217 ? 00:00:00 spamd child
3218 ? 00:00:00 spamd child
3595 ? 00:00:00 sshd
3622 tty1 00:00:00 getty
3623 tty2 00:00:00 getty
3624 tty3 00:00:00 getty
3625 tty4 00:00:00 getty
3626 tty5 00:00:00 getty
3627 tty6 00:00:00 getty
3628 ? 00:00:00 cron
3629 ? 00:00:00 sh
3630 ? 00:00:00 server.sh
3631 ? 00:00:00 sh
3634 ? 00:00:00 php
3901 ? 00:00:02 php-cgi
3903 ? 00:00:00 apache2
3996 ? 00:00:00 apache2
4062 ? 00:00:00 apache2
4074 ? 00:00:00 apache2
4075 ? 00:00:00 apache2
4076 ? 00:00:00 imap
4103 ? 00:00:05 sshd
4109 pts/0 00:00:00 bash
4867 ? 00:00:00 imap
4868 ? 00:00:00 imap
4980 ? 00:00:01 php-cgi
5373 ? 00:00:00 kworker/0:1
5679 ? 00:00:00 /usr/sbin/amavi
5680 ? 00:00:00 /usr/sbin/amavi
6582 pts/0 00:00:00 ps
root@vps222024:~# mc

root@vps222024:~# ps -A
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 kthreadd
3 ? 00:00:01 ksoftirqd/0
5 ? 00:00:00 kworker/u:0
6 ? 00:00:00 migration/0
7 ? 00:00:00 watchdog/0
8 ? 00:00:00 cpuset
9 ? 00:00:00 khelper
10 ? 00:00:00 kdevtmpfs
11 ? 00:00:00 netns
12 ? 00:00:00 sync_supers
13 ? 00:00:00 bdi-default
14 ? 00:00:00 kintegrityd
15 ? 00:00:00 kblockd
17 ? 00:00:00 khungtaskd
18 ? 00:00:00 kswapd0
19 ? 00:00:00 ksmd
20 ? 00:00:00 khugepaged
21 ? 00:00:00 fsnotify_mark
22 ? 00:00:00 crypto
116 ? 00:00:00 khubd
119 ? 00:00:00 ata_sff
121 ? 00:00:00 scsi_eh_0
126 ? 00:00:00 scsi_eh_1
129 ? 00:00:00 kworker/u:1
157 ? 00:00:01 kjournald
318 ? 00:00:00 udevd
398 ? 00:00:00 udevd
410 ? 00:00:00 udevd
428 ? 00:00:00 kpsmoused
461 ? 00:00:00 vballoon
665 ? 00:00:00 flush-254:0
1626 ? 00:00:00 dhclient
1946 ? 00:00:01 rsyslogd
2012 ? 00:00:01 /usr/sbin/amavi
2033 ? 00:00:00 apache2
2038 ? 00:00:00 vlogger (access
2040 ? 00:00:00 apache2
2063 ? 00:00:00 apache2
2064 ? 00:00:00 apache2
2065 ? 00:00:00 apache2
2066 ? 00:00:00 apache2
2403 ? 00:00:00 clamd
2535 ? 00:00:04 freshclam
2578 ? 00:00:00 cron
2609 ? 00:00:00 dbus-daemon
2640 ? 00:00:00 mailmanctl
2641 ? 00:00:00 python
2642 ? 00:00:00 python
2643 ? 00:00:00 python
2644 ? 00:00:00 python
2645 ? 00:00:00 python
2646 ? 00:00:00 python
2647 ? 00:00:00 python
2648 ? 00:00:00 python
2698 ? 00:00:00 mysqld_safe
3026 ? 00:00:08 mysqld
3027 ? 00:00:00 logger
3144 ? 00:00:00 dovecot
3156 ? 00:00:00 anvil
3157 ? 00:00:00 log
3195 ? 00:00:00 pure-ftpd-mysql
3209 ? 00:00:01 /usr/sbin/spamd
3217 ? 00:00:00 spamd child
3218 ? 00:00:00 spamd child
3595 ? 00:00:00 sshd
3622 tty1 00:00:00 getty
3623 tty2 00:00:00 getty
3624 tty3 00:00:00 getty
3625 tty4 00:00:00 getty
3626 tty5 00:00:00 getty
3627 tty6 00:00:00 getty
3901 ? 00:00:03 php-cgi
3903 ? 00:00:00 apache2
4074 ? 00:00:00 apache2
4075 ? 00:00:00 apache2
4076 ? 00:00:00 imap
4103 ? 00:00:05 sshd
4109 pts/0 00:00:00 bash
4867 ? 00:00:00 imap
4868 ? 00:00:00 imap
4980 ? 00:00:02 php-cgi
5373 ? 00:00:01 kworker/0:1
5679 ? 00:00:00 /usr/sbin/amavi
5680 ? 00:00:00 /usr/sbin/amavi
6639 ? 00:00:00 php-cgi
6641 ? 00:00:00 php-cgi
6642 ? 00:00:00 apache2
6643 ? 00:00:00 php-cgi
6645 ? 00:00:00 php-cgi
6759 ? 00:00:00 apache2
6933 ? 00:00:00 apache2
6950 ? 00:00:00 kworker/0:0
7106 ? 00:00:00 config
7108 ? 00:00:00 auth
7416 ? 00:00:00 auth
7431 ? 00:00:00 sshd
7432 ? 00:00:00 sshd
7433 pts/0 00:00:00 ps

Can anyone tell me what proccess send this emails?

nigelc · 05-24-2016, 01:11 AM

This one?

Quote:

2640 ? 00:00:00 mailmanctl

TenTenths · 05-24-2016, 02:07 AM

More likely to be an exploit of a website, especially if you're something like wordpress running on the box. Plugins for wordpress can be highly exploitable and in generally anything that's running inside apache/php will be able to send mail through the server.