Debug Where Spam script on Linux is

Question

My Linux server is sending out large amounts of spam and so far the only information I have to identify where this is coming from is the following:

lsof -f | grep smtp ---- results

perl      21655       apache   54u     IPv4            1795658         0t0        TCP (my.server.here):58354->smtp-in.orange.fr:smtp (ESTABLISHED)

There are about 4-5 of these sometimes to different servers.

Additionally: My phpmail log is not reporting any mail sending, yet our server is definately sending out large amounts of spam.

How can I identify the exact location of the script making these connections?

Answer 1

I think you have a pid there - 21655. So finding where the thing is, is as simple as looking in /proc/21655

You should see a few entries in there. Of interest:

cwd - current working directory.

fd - open files by process

exe and root probably won't tell you much unfortunately.

There's a bit of a difficulty here though - you know what your process is. It's perl. Somehow something is invoking perl and giving it code to run. This code may be entirely in memory. You can just type 'perl' key in some code and press ctrl-d and have it run it. There's nothing on disk at that point, so there's nothing to find.