-4

A php script is sending tons of emails. I want to detect what is the source. All emails are sent by the use www-data which the user used by apache. When I check process, I have this result :

www-data 16220 0.7 4.7 402508 95924 ? S 09:37 0:06 /usr/sbin/apache2 -k start www-data 16352 0.4 3.8 402132 78064 ? S 09:39 0:03 /usr/sbin/apache2 -k start www-data 16725 0.6 3.8 402472 78624 ? S 09:46 0:02 /usr/sbin/apache2 -k start www-data 16840 0.8 4.2 410744 87204 ? S 09:48 0:01 /usr/sbin/apache2 -k start www-data 16949 1.0 4.5 417560 93436 ? S 09:49 0:01 /usr/sbin/apache2 -k start www-data 16958 1.0 3.5 402120 72748 ? S 09:50 0:01 /usr/sbin/apache2 -k start www-data 16978 1.2 4.6 425160 94864 ? S 09:51 0:00 /usr/sbin/apache2 -k start www-data 16980 0.8 3.5 402140 72208 ? S 09:51 0:00 /usr/sbin/apache2 -k start www-data 16983 0.4 2.6 402160 54400 ? S 09:51 0:00 /usr/sbin/apache2 -k start

Apache is using many processes and I don't know what is the script that send mail.

Is there a way to do that?

Improve this question
8
  • Emails have nothing to do with number of Apache processes. Apache just starts several threads to serve requests in parallel... Commented Aug 24, 2015 at 14:22
  • @AndreySapegin, I now. But I don't know which script are running. Commented Aug 24, 2015 at 14:24
  • @GregL, my question is more precise. Commented Aug 24, 2015 at 14:28
  • Your question is about a particular aspect of a compromised server. The advice provided in the referenced question still applies. Commented Aug 24, 2015 at 15:11
  • 1
    Run maldet. Delete the malware it finds. Sorted. Commented Aug 24, 2015 at 17:14

1 Answer 1

Reset to default
2

You might be able to do an strace to dump all running Apache processes to a file and then once the spam goes out, see if you can track down what was going on (such as by saving frequent dumps of server-status using mod_status if it's not obvious from the strace by looking at file paths).

You could try something like the following - though note it may be resource intensive. Adjust the -s parameter as needed.

pidlist=''; \ for pid in `ps ax | grep apache2 |grep /usr/sbin/apache2 | awk '{print $1}'`;\ do pidlist="$pidlist -p $pid"; \ done; \ strace -s 1024 -tt -F -f $pidlist > strace_apache2.out 2>&1
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.