Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
05-23-2016, 07:55 AM
#1
LQ Newbie
Registered: May 2016
Posts: 1
Rep:
SPAM attack
Hi everyone, im runing debian vps server on OVH and a recive email that my ip is sending spam and they blocked me port 25. I'm checking my mail logs and file grow very fast and on log i see that i have big queue with emails to random email users i checked list of procceses and there is this list:
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 kthreadd
3 ? 00:00:00 ksoftirqd/0
5 ? 00:00:00 kworker/u:0
6 ? 00:00:00 migration/0
7 ? 00:00:00 watchdog/0
8 ? 00:00:00 cpuset
9 ? 00:00:00 khelper
10 ? 00:00:00 kdevtmpfs
11 ? 00:00:00 netns
12 ? 00:00:00 sync_supers
13 ? 00:00:00 bdi-default
14 ? 00:00:00 kintegrityd
15 ? 00:00:00 kblockd
17 ? 00:00:00 khungtaskd
18 ? 00:00:00 kswapd0
19 ? 00:00:00 ksmd
20 ? 00:00:00 khugepaged
21 ? 00:00:00 fsnotify_mark
22 ? 00:00:00 crypto
116 ? 00:00:00 khubd
119 ? 00:00:00 ata_sff
121 ? 00:00:00 scsi_eh_0
126 ? 00:00:00 scsi_eh_1
129 ? 00:00:00 kworker/u:1
157 ? 00:00:01 kjournald
318 ? 00:00:00 udevd
398 ? 00:00:00 udevd
410 ? 00:00:00 udevd
428 ? 00:00:00 kpsmoused
438 ? 00:00:01 kworker/0:2
461 ? 00:00:00 vballoon
665 ? 00:00:00 flush-254:0
1626 ? 00:00:00 dhclient
1946 ? 00:00:01 rsyslogd
2012 ? 00:00:01 /usr/sbin/amavi
2033 ? 00:00:00 apache2
2038 ? 00:00:00 vlogger (access
2040 ? 00:00:00 apache2
2062 ? 00:00:00 apache2
2063 ? 00:00:00 apache2
2064 ? 00:00:00 apache2
2065 ? 00:00:00 apache2
2066 ? 00:00:00 apache2
2403 ? 00:00:00 clamd
2535 ? 00:00:04 freshclam
2578 ? 00:00:00 cron
2609 ? 00:00:00 dbus-daemon
2640 ? 00:00:00 mailmanctl
2641 ? 00:00:00 python
2642 ? 00:00:00 python
2643 ? 00:00:00 python
2644 ? 00:00:00 python
2645 ? 00:00:00 python
2646 ? 00:00:00 python
2647 ? 00:00:00 python
2648 ? 00:00:00 python
2698 ? 00:00:00 mysqld_safe
3026 ? 00:00:08 mysqld
3027 ? 00:00:00 logger
3144 ? 00:00:00 dovecot
3156 ? 00:00:00 anvil
3157 ? 00:00:00 log
3195 ? 00:00:00 pure-ftpd-mysql
3209 ? 00:00:01 /usr/sbin/spamd
3217 ? 00:00:00 spamd child
3218 ? 00:00:00 spamd child
3595 ? 00:00:00 sshd
3622 tty1 00:00:00 getty
3623 tty2 00:00:00 getty
3624 tty3 00:00:00 getty
3625 tty4 00:00:00 getty
3626 tty5 00:00:00 getty
3627 tty6 00:00:00 getty
3628 ? 00:00:00 cron
3629 ? 00:00:00 sh
3630 ? 00:00:00 server.sh
3631 ? 00:00:00 sh
3634 ? 00:00:00 php
3901 ? 00:00:02 php-cgi
3903 ? 00:00:00 apache2
3996 ? 00:00:00 apache2
4062 ? 00:00:00 apache2
4074 ? 00:00:00 apache2
4075 ? 00:00:00 apache2
4076 ? 00:00:00 imap
4103 ? 00:00:05 sshd
4109 pts/0 00:00:00 bash
4867 ? 00:00:00 imap
4868 ? 00:00:00 imap
4980 ? 00:00:01 php-cgi
5373 ? 00:00:00 kworker/0:1
5679 ? 00:00:00 /usr/sbin/amavi
5680 ? 00:00:00 /usr/sbin/amavi
6582 pts/0 00:00:00 ps
root@vps222024:~# mc
root@vps222024:~# ps -A
PID TTY TIME CMD
1 ? 00:00:00 init
2 ? 00:00:00 kthreadd
3 ? 00:00:01 ksoftirqd/0
5 ? 00:00:00 kworker/u:0
6 ? 00:00:00 migration/0
7 ? 00:00:00 watchdog/0
8 ? 00:00:00 cpuset
9 ? 00:00:00 khelper
10 ? 00:00:00 kdevtmpfs
11 ? 00:00:00 netns
12 ? 00:00:00 sync_supers
13 ? 00:00:00 bdi-default
14 ? 00:00:00 kintegrityd
15 ? 00:00:00 kblockd
17 ? 00:00:00 khungtaskd
18 ? 00:00:00 kswapd0
19 ? 00:00:00 ksmd
20 ? 00:00:00 khugepaged
21 ? 00:00:00 fsnotify_mark
22 ? 00:00:00 crypto
116 ? 00:00:00 khubd
119 ? 00:00:00 ata_sff
121 ? 00:00:00 scsi_eh_0
126 ? 00:00:00 scsi_eh_1
129 ? 00:00:00 kworker/u:1
157 ? 00:00:01 kjournald
318 ? 00:00:00 udevd
398 ? 00:00:00 udevd
410 ? 00:00:00 udevd
428 ? 00:00:00 kpsmoused
461 ? 00:00:00 vballoon
665 ? 00:00:00 flush-254:0
1626 ? 00:00:00 dhclient
1946 ? 00:00:01 rsyslogd
2012 ? 00:00:01 /usr/sbin/amavi
2033 ? 00:00:00 apache2
2038 ? 00:00:00 vlogger (access
2040 ? 00:00:00 apache2
2063 ? 00:00:00 apache2
2064 ? 00:00:00 apache2
2065 ? 00:00:00 apache2
2066 ? 00:00:00 apache2
2403 ? 00:00:00 clamd
2535 ? 00:00:04 freshclam
2578 ? 00:00:00 cron
2609 ? 00:00:00 dbus-daemon
2640 ? 00:00:00 mailmanctl
2641 ? 00:00:00 python
2642 ? 00:00:00 python
2643 ? 00:00:00 python
2644 ? 00:00:00 python
2645 ? 00:00:00 python
2646 ? 00:00:00 python
2647 ? 00:00:00 python
2648 ? 00:00:00 python
2698 ? 00:00:00 mysqld_safe
3026 ? 00:00:08 mysqld
3027 ? 00:00:00 logger
3144 ? 00:00:00 dovecot
3156 ? 00:00:00 anvil
3157 ? 00:00:00 log
3195 ? 00:00:00 pure-ftpd-mysql
3209 ? 00:00:01 /usr/sbin/spamd
3217 ? 00:00:00 spamd child
3218 ? 00:00:00 spamd child
3595 ? 00:00:00 sshd
3622 tty1 00:00:00 getty
3623 tty2 00:00:00 getty
3624 tty3 00:00:00 getty
3625 tty4 00:00:00 getty
3626 tty5 00:00:00 getty
3627 tty6 00:00:00 getty
3901 ? 00:00:03 php-cgi
3903 ? 00:00:00 apache2
4074 ? 00:00:00 apache2
4075 ? 00:00:00 apache2
4076 ? 00:00:00 imap
4103 ? 00:00:05 sshd
4109 pts/0 00:00:00 bash
4867 ? 00:00:00 imap
4868 ? 00:00:00 imap
4980 ? 00:00:02 php-cgi
5373 ? 00:00:01 kworker/0:1
5679 ? 00:00:00 /usr/sbin/amavi
5680 ? 00:00:00 /usr/sbin/amavi
6639 ? 00:00:00 php-cgi
6641 ? 00:00:00 php-cgi
6642 ? 00:00:00 apache2
6643 ? 00:00:00 php-cgi
6645 ? 00:00:00 php-cgi
6759 ? 00:00:00 apache2
6933 ? 00:00:00 apache2
6950 ? 00:00:00 kworker/0:0
7106 ? 00:00:00 config
7108 ? 00:00:00 auth
7416 ? 00:00:00 auth
7431 ? 00:00:00 sshd
7432 ? 00:00:00 sshd
7433 pts/0 00:00:00 ps
Can anyone tell me what proccess send this emails?
05-24-2016, 01:11 AM
#2
Member
Registered: Oct 2004
Location: Sydney, Australia
Distribution: Mageia 7
Posts: 406
Rep:
This one?
Quote:
2640 ? 00:00:00 mailmanctl
05-24-2016, 02:07 AM
#3
Senior Member
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 3,475
More likely to be an exploit of a website, especially if you're something like wordpress running on the box. Plugins for wordpress can be highly exploitable and in generally anything that's running inside apache/php will be able to send mail through the server.
All times are GMT -5. The time now is 09:34 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News