lundi 5 janvier 2015

find who sends spam


I have a LAMP ubuntu-10.04 server. There are many (>140) users and a lot of differents web php sites (custom, different php frameworks, cms etc).


The problem is: sometimes server sends "spam". And local exim isn't used for that. I found such strange activity:



/usr/bin/lsof -ni | grep smtp |grep -v ^exim4

perl      15177    www-data  510u  IPv4 1101127040      0t0  TCP server_ip:46401->65.55.37.72:smtp (SYN_SENT)
perl      15178    www-data  510u  IPv4 1101127059      0t0  TCP server_ip:51002->98.136.217.202:smtp (SYN_SENT)
perl      15179    www-data  510u  IPv4 1101126982      0t0  TCP server_ip:39232->74.125.205.26:smtp (SYN_SENT)
perl      15180    www-data  510u  IPv4 1101126975      0t0  TCP server_ip:53339->65.55.37.72:smtp (SYN_SENT)
perl      15181    www-data  510u  IPv4 1101127014      0t0  TCP server_ip:45429->65.55.37.72:smtp (SYN_SENT)
perl      15182    www-data  510u  IPv4 1101126984      0t0  TCP server_ip:49985->74.125.205.26:smtp (SYN_SENT)
perl      15183    www-data  510u  IPv4 1101126971      0t0  TCP server_ip:42199->65.55.37.72:smtp (SYN_SENT)
..........
...........
perl      15184    www-data  510u  IPv4 1101126968      0t0  TCP server_ip:36641->74.125.205.26:smtp (SYN_SENT)
perl      15186    www-data  510u  IPv4 1101126979      0t0  TCP server_ip:57690->98.138.112.32:smtp (SYN_SENT)
...........


And I can't find who and how run this perl processes. I tried to alanyze these processes (for exmaple pid 15179): /proc/15179/cmdline - is empty



/proc/15179/status

Name:   perl
State:  S (sleeping)
Tgid:   15179
Pid:    15179
PPid:   15176
TracerPid:  0
Uid:    33  33  33  33
Gid:    33  33  33  33
FDSize: 1024
Groups: 33 
VmPeak:    10400 kB
VmSize:    10372 kB
VmLck:         0 kB
VmHWM:      8140 kB
VmRSS:      8092 kB
VmData:     6980 kB
VmStk:        88 kB
VmExe:      1200 kB
VmLib:      1980 kB
VmPTE:        32 kB
Threads:    1
SigQ:   0/16382
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000000080
SigCgt: 0000000180017427
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
Cpus_allowed:   f
Cpus_allowed_list:  0-3
Mems_allowed:   1
Mems_allowed_list:  0
voluntary_ctxt_switches:    6431
nonvoluntary_ctxt_switches: 34


lsof -n -p 15179 - here enter link description here


I tried to find parent process: parent pid of 15179 is 15176:


/proc/15176/cmdline - empty too


and



/proc/15176/status

Name:   perl
State:  S (sleeping)
Tgid:   15176
Pid:    15176
PPid:   1
TracerPid:  0
Uid:    33  33  33  33
Gid:    33  33  33  33
FDSize: 1024
Groups: 33 
VmPeak:    11116 kB
VmSize:    11116 kB
VmLck:         0 kB
VmHWM:      8712 kB
VmRSS:      8692 kB
VmData:     7772 kB
VmStk:        88 kB
VmExe:      1200 kB
VmLib:      1940 kB
VmPTE:        32 kB
Threads:    1
SigQ:   0/16382
SigPnd: 0000000000000000
ShdPnd: 0000000000000000
SigBlk: 0000000000000000
SigIgn: 0000000000010080
SigCgt: 0000000180007427
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: ffffffffffffffff
Cpus_allowed:   f
Cpus_allowed_list:  0-3
Mems_allowed:   1
Mems_allowed_list:  0
voluntary_ctxt_switches:    14467


It happens rarely (once a 2 days) and lasts few minutes. So it's difficult to get more information. All this inforamtion is logged using cron job which monitor smtp connection. I have no idea how to identify who/how runs these processes. Are there any tactics to find them?



Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)