0

Possible Duplicate:
My server's been hacked EMERGENCY

I have a LAMP server running that has suddenly started trying to send out spam email. I wonder would anyone have any suggestion to help track down how this is being done.

The server itself does not listen on port 25 so it not a relay issue there. I assume it's some sort of PHP (or other) email injection especially given the sender is www-data@domain.

The problem is I'm not exactly sure where to find the problem code, would any one have any suggestions as to how best go about this? Apache and system logs are not coming up with much.

Server software is:

  • Apache 2.2.14
  • PHP 5.2.10
  • MySQL 14.14
  • Drupal 6.25

With multiple sites hosted on server.

If there is any more information I can add that might help please let me know

Community
  • 1
Jan Geep
  • 201
  • 2
  • 8
  • 2
    The only thing to do here is nuke it from orbit and reinstall from a known good backup. You may also want to get a copy for later analysis. – user9517 Mar 20 '12 at 21:28

1 Answers1

1

Compromised systems can't be trusted, restore from backup.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92