I have a WHM server running Centos 4 (yes I know it just turned unsupported) all updates are installed, everything seems up to date.
In Dec 2011 one of the server owners, who has like 50 websites on it, got his computer infected and the virus/trojan read his FTP saved passwords then logged in by ftp and modified ALL index.php files it could find, we though we cleared all.
The problem is the following, they’re somehow sending e-mails using a perl script fired by Apache I need a way to find out which is the path of the script they’re firing, in “ps” it only shows as “perl”, when checking the files opened by the perl script it lists ALL apache vhost logs, apache error log and /dev/null.
I NEED a way to find out the path of the script that’s sending the e-mails, the server got listed into CBL at spamhaus twice by now, searching “by hand” it’s not an option as there are over 200 websites there that take over 100GB of space on the server.
Server it is NOT compromised, the only problem is that I can’t find the script that sends the spam.
You can try and figure it out from the /proc directory
Grab the PID of the running perl process, then check
/proc/PID/cwd which will be a symlink to the current working directory of the script
check
/proc/PID/cmdline which will contain the full command line of the running process
(in both those cases replace PID with the pid of the process)
Disclaimer: I’m working off my linux machine, so it is entirely possible that your file system layout is different