-1

On a webserver, I am seeing unknown processes invoking sendmail like

root      1544  1188  0 03:42 ?        00:00:00 sendmail: ./qBBJ2gNg014264 mail.furst.com.: user open

I have DROPed all SMTP destination ports via iptables. Have confirmed this by seeing SYN_SENT for such connections via netstat.

How can I find / stop / remove these unknown processes running sendmail?

UPDATE: The OP has said that the machine is running Drupal.

adamo
  • 6,925
  • 3
  • 30
  • 58
Nishant
  • 109
  • 2
  • possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – Tom O'Connor Dec 17 '12 at 12:03

2 Answers2

1

My best guess is that your machine is running a web server with php and someone has managed to use it in order to send mail from the machine.

adamo
  • 6,925
  • 3
  • 30
  • 58
0

Based from the presented ps clip in your question is processing by sendmail for a specified queued mail entry on your local host -- nothing externally initiated (except for getting a local sendmail message from probably an application program running on the local server, invoked by some website program?).

Thus there is no unknown process here playing around with sendmail based on the information presented in your question.

Did you traceback to the process that invoked sendmail (i.e. process 1188 in this case?).

If you are asking how to stop all sendmail processing, then you could simply remove the sendmail package from your server.

mdpc
  • 11,856
  • 28
  • 53
  • 67
  • yes. I figured that it was some local application program running these. But then, how should I locate such program and probably remove it? All I see is just `./qBBJ2gNg014264 mail.liuc.it. user open` – Nishant Dec 16 '12 at 06:59
  • 1188 is sendmail itself. `root 1188 1 0 Nov20 ? 00:02:25 sendmail: accepting connections` – Nishant Dec 16 '12 at 07:22