mail/webserver used for spam trough /tmp /dev/shm

Discussion in 'Server Operation' started by HoUsECAt, Dec 21, 2010.

  1. HoUsECAt

    HoUsECAt New Member

    hi all!

    my server is used to send spam with a php script run from /tmp and /dev/shm

    it is started in the morning by downloading a sendpX.tgz file (where X is a number, shown by the proxy server), then extracted and run to send >20k of mails to mostly italian recipients

    any idea where to start to find out where the server is exploited? and what script/process triggers this download?

    ive shutdown the mail/webserver for now due the fact its a backup, so i have time to investigate!

    thanks for you reply!
  2. falko

    falko Super Moderator ISPConfig Developer

    Did you check your server with chkrootkit and rkhunter?
  3. HoUsECAt

    HoUsECAt New Member

    yup i did... didn't found anything special, i found the problem in the meanwhile;

    files were put in;


    a crontab was made for user;
    /tmp/.ICE-unix/y2kupdate >/dev/null 2>&1

    a php reverse shell client was put in;

    all due to an old phpmyadmin install :eek:

Share This Page