My sendmail started sending spam; what is causing it to do so?

Question

Today my sendmail service started sending e-mail to various addresses.

/var/spool/mail:

From MAILER-DAEMON@noxcommunity.com  Fri Jan 30 22:15:30 2015
Return-Path: <MAILER-DAEMON@noxcommunity.com>
Received: from localhost (localhost)
    by noxcommunity.com (8.13.8/8.13.8) id t0ULFUje031918;
    Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
From: Mail Delivery Subsystem <MAILER-DAEMON@noxcommunity.com>
Message-Id: <201501302115.t0ULFUje031918@noxcommunity.com>
To: postmaster@noxcommunity.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="t0ULFUje031918.1422652530/noxcommunity.com"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--t0ULFUje031918.1422652530/noxcommunity.com

The original message was received at Fri, 30 Jan 2015 22:15:30 +0100
from localhost.localdomain [127.0.0.1]
with id t0ULFUje031916

   ----- The following addresses had permanent fatal errors -----
<s@s>
    (reason: 550 Host unknown)

   ----- Transcript of session follows -----
550 5.1.2 <s@s>... Host unknown (Name server: s: host not found)
550 5.1.1 <noreply@noxcommunity.com>... User unknown

--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/delivery-status

Reporting-MTA: dns; noxcommunity.com
Received-From-MTA: DNS; localhost.localdomain
Arrival-Date: Fri, 30 Jan 2015 22:15:30 +0100

Final-Recipient: RFC822; s@s
Action: failed
Status: 5.1.2
Remote-MTA: DNS; s
Diagnostic-Code: SMTP; 550 Host unknown
Last-Attempt-Date: Fri, 30 Jan 2015 22:15:30 +0100

--t0ULFUje031918.1422652530/noxcommunity.com
Content-Type: message/rfc822

Return-Path: <noreply@noxcommunity.com>
Received: from noxcommunity.com (localhost.localdomain [127.0.0.1])
    by noxcommunity.com (8.13.8/8.13.8) with ESMTP id t0ULFUje031916
    for <s@s>; Fri, 30 Jan 2015 22:15:30 +0100
Received: (from root@localhost)
    by noxcommunity.com (8.13.8/8.13.8/Submit) id t0ULFUNT031915;
    Fri, 30 Jan 2015 22:15:30 +0100
Date: Fri, 30 Jan 2015 22:15:30 +0100
Message-Id: <201501302115.t0ULFUNT031915@noxcommunity.com>
To: s@s
Subject: Facebook
X-PHP-Originating-Script: 0:eb.php
From: "notification@facebookmail.com" <noreply@facebookmail.com>
Content-Type: text/html

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'>
<meta http-equiv="Content-Type" content="text/html; charset=unicode">
<meta name="Generator" content="Microsoft SafeHTML"><title>Message body</title><bgsound src="http://email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&amp;s=a"></bgsound><table width="98%" border="0" cellspacing="0" cellpadding="40"><tbody><tr><td bgcolor="#f7f7f7" width="100%" style="font-family:'lucida grande', tahoma, verdana, arial, sans-serif"><table cellpadding="0" cellspacing="0" border="0" width="620"><tbody><tr><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:16px;letter-spacing:-0.03em;text-align:left"><a style="color:#FFFFFF;text-decoration:none" href="http://goo.gl/QdWtIJ" target="_blank"><span style="color:#FFFFFF">facebook</span></a></td><td style="background:#3b5998;color:#FFFFFF;font-weight:bold;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 8px;vertical-align:middle;font-size:11px;text-align:right"></td></tr><tr><td colspan="2" style="background-color:#FFFFFF;border-bottom:1px solid #3b5998;border-left:1px solid #CCCCCC;border-right:1px solid #CCCCCC;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:15px" valign="top"><table width="100%"><tbody><tr><td width="470px" style="font-size:12px" valign="top" align="left"><div style="margin-bottom:15px;font-size:12px"></div><div style="margin-bottom:15px"><span style="color:#111111;font-size:14px;font-weight:bold;">A friend tagged you in a photo</span></div><div style="margin-bottom:15px"><div style="border-bottom:1px solid #ccc;line-height:5px">&nbsp;</div><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:5px"></td></tr><tr><td width="150" style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:0px 5px 10px 0px"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td valign="top" style="padding-right:5px"><a href="http://goo.gl/QdWtIJ" style="col!
 or:#3b59
98;text-decoration:none" target="_blank"><img style="border:0px none" alt="Chris Thomas" src="https://fbstatic-a.akamaihd.net/rsrc.php/v2/yo/r/UlIqmHJn-SK.gif" width="50" height="50"></a></td><td valign="top"><span style="font-size:11px;color:#999;padding:0px 0px 10px 0px"><span style="font-size:11px;color:#3B5998;font-weight:bold"><a href="http://goo.gl/QdWtIJ" style="color:#3B5998;text-decoration:none;font-size:11px" target="_blank">Chris Thomas</a></span><br></span></td></tr></tbody></table></td></tr></tbody></table><div style="border-bottom:1px solid #ccc;line-height:5px">&nbsp;</div><br></div><div style="margin-bottom:15px">Thanks,<br>
The Facebook Team</div></td><td valign="top" width="150" style="padding-left:15px" align="left"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="margin-bottom:15px;font-size:12px"></div><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="border-width:1px;border-style:solid;border-color:#3b6e22 #3b6e22 #2c5115;background-color:#69a74e"><table cellspacing="0" cellpadding="0" style="border-collapse:collapse"><tbody><tr><td style="font-size:11px;font-family:'lucida grande', tahoma, verdana, arial, sans-serif;padding:4px 10px 5px;border-top:1px solid #95bf82"><a href="http://goo.gl/QdWtIJ" style="color:#fff;text-decoration:none;font-weight:bold;font-size:13px" target="_blank">View photo</a></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table></td></tr></tbody></table><br><table cellspacing="0" cellpadding="0" style="border-collapse:collapse;width:100%"><tbody><tr><td style="padding:10px;background-color:#fff9d7;border-left:1px solid #e2c822;border-right:1px solid #e2c822;border-top:1px solid #e2c822;border-bottom:1px solid #e2c822"><div style="font-weight:bold;margin-bottom:2px;font-size:11px">To view this friend profile photo, go to:</div><a href="http://goo.gl/QdWtIJ" style="color:#3b5998;text-decoration:none;font-size:11px" target="_blank">http://www.facebook.com/n/?reqs.php&amp;mid=424e194G221be96cG696b3afG2f&amp;bcode=M6l2wBWw&amp;n_m=christhomas@facebookmail.com</a></td></tr></tbody></table><span style=""><img src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f" style="border:0;width:1px;height:1px"><bgsound src="http://www.facebook.com/email_open_log_pic.php?mid=424e194G221be96cG696b3afG2f&amp;s=a"></bgsound></span></td></tr><tr><td colspan="2" style="color:#999999;padding:10px;font-size:12p!
 x;font-f
amily:'lucida grande', tahoma, verdana, arial, sans-serif">If you don't want to receive these emails from Facebook in the future, please follow the link below to unsubscribe.
http://www.facebook.com/o.php?k=7042bb&amp;u=572254572&amp;mid=424e194G221be96cG696b3afG2f
Facebook, Inc. P.O. Box 10005, Palo Alto, CA 94303</td></tr></tbody></table></td></tr></tbody></table>                    </body>
</html>

maillog:

Jan 30 22:15:30 vm2745 sendmail[31911]: t0ULFTv1031911: to=geoxnox@gmail.com, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35539, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFTVJ031912 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: from=noreply@noxcommunity.com, size=5525, class=0, nrcpts=1, msgid=<201501302115.t0ULFUNT031915@noxcommunity.com>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31916]: t0ULFUje031916: from=<noreply@noxcommunity.com>, size=5760, class=0, nrcpts=1, msgid=<201501302115.t0ULFUNT031915@noxcommunity.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:30 vm2745 sendmail[31915]: t0ULFUNT031915: to=s@s, delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUje031916 Message accepted for delivery)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<s@s>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: host not found)
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: to=<noreply@noxcommunity.com>, delay=00:00:00, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031916: t0ULFUje031918: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: STARTTLS=client, relay=gmail-smtp-in.l.google.com., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31918]: t0ULFUje031918: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:30 vm2745 sendmail[31919]: t0ULFUFv031919: from=noreply@noxcommunity.com, size=5525, class=0, nrcpts=1, msgid=<201501302115.t0ULFUFv031919@noxcommunity.com>, relay=root@localhost
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<geoxnox@gmail.com>, delay=00:00:00, xdelay=00:00:00, mailer=esmtp, pri=125774, relay=gmail-smtp-in.l.google.com. [74.125.136.26], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: to=<noreply@noxcommunity.com>, delay=00:00:00, mailer=local, pri=125774, dsn=5.1.1, stat=User unknown
Jan 30 22:15:30 vm2745 sendmail[31914]: t0ULFTVJ031912: t0ULFUVJ031914: postmaster notify: User unknown
Jan 30 22:15:30 vm2745 sendmail[31910]: STARTTLS=client, relay=mta5.am0.yahoodns.net., version=TLSv1/SSLv3, verify=FAIL, cipher=RC4-SHA, bits=128/128
Jan 30 22:15:30 vm2745 sendmail[31921]: t0ULFUrk031921: from=<noreply@noxcommunity.com>, size=5760, class=0, nrcpts=1, msgid=<201501302115.t0ULFUFv031919@noxcommunity.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Jan 30 22:15:31 vm2745 sendmail[31914]: t0ULFUVJ031914: to=root, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=36998, dsn=2.0.0, stat=Sent
Jan 30 22:15:31 vm2745 sendmail[31919]: t0ULFUFv031919: to=s@s, delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=35525, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (t0ULFUrk031921 Message accepted for delivery)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<s@s>, delay=00:00:01, xdelay=00:00:00, mailer=esmtp, pri=125760, relay=s, dsn=5.1.2, stat=Host unknown (Name server: s: host not found)
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: to=<noreply@noxcommunity.com>, delay=00:00:01, mailer=local, pri=125760, dsn=5.1.1, stat=User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFUrk031921: t0ULFVrk031924: postmaster notify: User unknown
Jan 30 22:15:31 vm2745 sendmail[31924]: t0ULFVrk031924: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=36970, dsn=2.0.0, stat=Sent
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<seffarachef@yahoo.com>, delay=00:00:04, xdelay=00:00:04, mailer=esmtp, pri=125778, relay=mta5.am0.yahoodns.net. [98.138.112.38], dsn=5.0.0, stat=Service unavailable
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: to=<noreply@noxcommunity.com>, delay=00:00:04, mailer=local, pri=125778, dsn=5.1.1, stat=User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFT2n031908: t0ULFX2n031910: postmaster notify: User unknown
Jan 30 22:15:33 vm2745 sendmail[31910]: t0ULFX2n031910: to=root, delay=00:00:00, xdelay=00:00:00, mailer=local, pri=37006, dsn=2.0.0, stat=Sent

And similar e-mails go on almost every second.

I am totally baffled about this, what's causing it?

Answer 1

It appears that your server has been hacked, possibly through a web server running PHP software. The sendmail header contains the following incriminating line:

X-PHP-Originating-Script: 0:eb.php

indicating that the email is generated using a PHP script with filename eb.php. The 0 indicates that the script is executed by root user, which could mean that a cron job is being performed to start the script every minute.

The content of the email is a spoof of Facebook notification:

If you hover your mouse over the link, it would show a shortened URL hosted by Google that would likely redirect anyone who receive an email from your server to a site hosting malware or phishing for your Facebook login detail.

Update:

Since the hacker has already gained root access to your server, deleting the script even if you manage to find it would not help much because:

1. a backdoor could have already been installed for the hacker come back and undo your recovery effort
2. processes could be altered to thwart your effort to hunt down malicious scripts that are created and destroyed on the fly
3. there is no way to be sure that your server is 100% disinfected

What you should do is to reinstall the server to the latest version and restore content from the last good backup. You can find more information on how to deal with a compromised server here.