I have a Unix server that I fear has been hacked and is being used as a spam-bot by some unscrupulous character(s). Everyday, a task is initialized that sends mails to a lot of email addresses and the emails are from different email addresses every time. From my investigations so far, I've realised that when the emails are sent, /var/log/mail.log is updated with the recipient, sender and time information. /var/log/syslog is also updated to indicate that mail was sent.
The problem (apart from being hacked) is that the file /var/log/mail.log becomes big quite fast. In a day it jumps up by 300MB ~ 500MB, which needless to say is quite problematic for me.
I'm therefore trying to find the process that is initializing this, and from there find the file responsible and remove it. I've tried running:
ps -A
and
ps -ef
to see ALL the running processes, but I was unable to understand the display, hence I couldn't identify any likely suspects.
At the moment, I don't know what else to do apart from removing everything from the server and formatting it (I sincerely hope to avoid that though). If anyone can suggest any directions I could take, I'd be quite grateful.
Well, it seems that your VM has been compromised.
The best option would be probably to turn it off, and investigate the matter. But if you don't want to kill a lot of time with this, then you could better rebuild the vm entirely. Because if you can't investigate the matter, the script or process could be anywhere, so it is probably better to rebuild it and secure it.