compromised script sending spam? How to find it?

[schwim]

Hi there guys,

I have a dedicated server through GoDaddy. I've had ConfigServer.com work their magic on it, and it seems to be locked down pretty well.... however, your server is only as safe as what you allow to be put on it, right?

Well, this morning at 1:27 am, I received a notice from GoDaddy, that I had reached my smtp relay limit of 15,000. The logs show nowhere near that number, so I'm figuring that it's a script that has been compromised. I monitor my mailwatch system, I limit the amount of mail allowed to be sent through user's accounts, so I'm pretty sure that it's not a legitimate smtp connection that is causing this.

Server load stays low, although httpd is restarting multiple times an hour. I am checking the stats through WHM and tailing the /var/log/messages, looking for something to clue me in, but I can't see a single thing that would reflect that volume of email being sent.

What's the best way to pinpoint the problem? I've got over 30 domains with every type of script imaginable being run by the clients.

thanks,
json

 

[schwim]

no httpd restarts since 7:20 this morning, and I just received the first notice of the night that httpd restarted. I checked the chkservd log, and it simply states:

[Tue Nov 21 00:21:13 2006] Service check ....antirelayd [+]...cpsrvd [+]...exim [+]...eximstats [+]...ftpd [+]...httpd [TIMEOUT!!!! on send
-Notification => [email protected] via EMAIL [level => 3]
Restarting httpd....
[Tue Nov 21 00:22:18 2006] [warn] NameVirtualHost xxx.xxx.xxx.xxx:80 has no VirtualHosts
[Tue Nov 21 00:22:18 2006] [warn] NameVirtualHost xxx.xxx.xxx.xxx:80 has no VirtualHosts
/etc/rc.d/init.d/httpd start: httpd started

Which isn't a bunch of help. messages doesn't show me anything useful either.

Any help at all would be greatly appreciated, as I suspect this problem isn't going to go away.

thanks,
json

 

[schwim]

Thanks very much for your help. I appreciate it more than you can know.

thanks,
json

 

[pokerz]

Daily SMTP Relay Limit Reached

Hi there guys,

I have a dedicated server through GoDaddy. I've had ConfigServer.com work their magic on it, and it seems to be locked down pretty well.... however, your server is only as safe as what you allow to be put on it, right?

Well, this morning at 1:27 am, I received a notice from GoDaddy, that I had reached my smtp relay limit of 15,000. The logs show nowhere near that number, so I'm figuring that it's a script that has been compromised. I monitor my mailwatch system, I limit the amount of mail allowed to be sent through user's accounts, so I'm pretty sure that it's not a legitimate smtp connection that is causing this.

Server load stays low, although httpd is restarting multiple times an hour. I am checking the stats through WHM and tailing the /var/log/messages, looking for something to clue me in, but I can't see a single thing that would reflect that volume of email being sent.

What's the best way to pinpoint the problem? I've got over 30 domains with every type of script imaginable being run by the clients.

thanks,
json

Did anyone figure this one out? My SMTP relay is also maxing out and I can only change one thing at a time to test because Godaddy won't reset the relay and it only resets at midnight so this could take forever. Today I checked the box (POP before SMTP) crossing my fingers until midnight again.... If anyone knows the fix, please fill me in!
Thank you,
Pokerz