hi all! my server is used to send spam with a php script run from /tmp and /dev/shm it is started in the morning by downloading a sendpX.tgz file (where X is a number, shown by the proxy server), then extracted and run to send >20k of mails to mostly italian recipients any idea where to start to find out where the server is exploited? and what script/process triggers this download? ive shutdown the mail/webserver for now due the fact its a backup, so i have time to investigate! thanks for you reply!
yup i did... didn't found anything special, i found the problem in the meanwhile; files were put in; /tmp /dev/shm /var/tmp a crontab was made for user; /tmp/.ICE-unix/y2kupdate >/dev/null 2>&1 a php reverse shell client was put in; /var/www/team all due to an old phpmyadmin install
