sm-mta trouble

[Conrad]

At the moment some thousends of mail are sent with some sm-mta,
i thought i found a suspicious perl script at a user cgi-bin, but after 30 minutes of rest, it start all over again.

Sep 24 13:11:40 core3 sm-mta[89513]: n8ODBeeE089513: to=<[email protected]>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=61388, relay=cc-mail.carterchambers.com. [63.107.21.1], dsn=4.0.0, stat=Deferred: Connection refused by cc-mail.carterchambers.com.

i also have this in "top"

apache 87822 20.4 0.2 12612 6680 ?? Rs 2:25PM 9:08.43 ./tgqfed.pl (perl5.8.7)
apache 87821 19.5 0.2 11112 6276 ?? Ss 2:25PM 7:38.66 ./tgqfed.pl (perl5.8.7)
apache 87819 14.2 0.2 14612 6196 ?? Ss 2:25PM 9:06.48 ./tgqfed.pl (perl5.8.7)
apache 87820 6.1 0.2 14292 6404 ?? Ss 2:25PM 6:16.98 ./tgqfed.pl (perl5.8.7)
apache 87876 0.4 0.8 35508 27292 ?? S 2:26PM 0:01.07 /usr/sbin/httpd -k start -DSSL
apache 85459 0.0 0.8 36160 27856 ?? S 1:14PM 0:02.77 /usr/sbin/httpd -k start -DSSL

but doing a find i cannot locate the pl files..

anyone have a idea?

Thanks

 

[scsi]

find / -name tgqfed.pl

 

[Conrad]

that['s the strange issue,

not found..

but it shows in "top"

 

[floyd]

You probably have an insecure php script which allowed an attacker to upload the script into the /tmp directory and then start the script and then delete it from /tmp. The script is now running in memory.

If you stop it then the attacker just comes back and starts it again. You have to find the insecure script.

 

[Conrad]

thanks Floyd,

i think you are right, that must be it.

there goes my night sleep, how am i gonna find that one
nothing in the logs of course...

just an iframe in a homepage of a client, i think that account is a
good starting point..

Thanks for your help

 

[floyd]

After it starts running you can take the process id number and do

ls -l /proc/PID

Sometimes that will give you more information on where to look