[plug] Postfix Problems again (Spam Originating frommy mailserver)

Shannon Carver Shannon.Carver at P-S-T.COM.AU
Thu Dec 1 14:19:15 WST 2005


Reveals:
www-data  8545  0.0  3.8 77168 4776 ?        S    06:25   0:00  \_
/usr/sbin/apache
www-data  8546  0.0  3.8 77168 4772 ?        S    06:25   0:00  \_
/usr/sbin/apache
www-data  8547  0.0  3.8 77168 4776 ?        S    06:25   0:00  \_
/usr/sbin/apache
www-data  8548  0.0  3.8 77168 4776 ?        S    06:25   0:00  \_
/usr/sbin/apache
www-data  8549  0.0  3.8 77168 4792 ?        S    06:25   0:00  \_
/usr/sbin/apache
www-data  8613  0.0  3.8 77168 4776 ?        S    06:28   0:00  \_
/usr/sbin/apache
www-data  8614  0.0  3.8 77172 4772 ?        S    06:28   0:00  \_
/usr/sbin/apache
www-data 10850  0.0  3.3 77024 4188 ?        S    14:01   0:00  \_
/usr/sbin/apache
www-data 18741  0.0  0.3  2172  492 ?        S    Nov29   0:00
www-data 32311  0.0  0.7  2172  888 ?        S    Nov30   0:00

Oh which I didn't notice the last two before, which I assume were
started both at midnight, I'll look at my crons now.. I thought I
checked this already, must have been after I restarted the box.

Shannon

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of simon
Sent: Thursday, 1 December 2005 2:07 PM
To: plug at plug.org.au
Subject: RE: [plug] Postfix Problems again (Spam Originating frommy
mailserver)

Shannon Carver (Shannon.Carver at P-S-T.COM.AU) wrote:
>
> Thanks, I'm looking into this now.  What I've done for the moment is
cut


The other alternative is that youve been compromised (or at least they
have
access to www-data user).

What does "ps auxf |grep www-data" reveal?

--
=================
Simon Scott
simon at chrome64.org
mob: 0409113359
=================



_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au




More information about the plug mailing list