D [mailto:bqlist (at mark) distortal.com] said:
> Recently I looked into /var/log/messages and /var/log/maillog and found
> a lot of entries that look like my server is trying to send email.
> Netstat appears to show lots of http connections to mail servers and I
> am concerned that someone has uploaded an insecure mail script.
Are you sure you mean 'httpd connections to mail servers', rather than 'SMTP
connections to mail servers'? If in doubt, just post a suspect snippet from
your netstat output.
> Is there any way to find out which script spawned a given message? As
> far as I am aware there are only PHP scripts on the server, but I could
> be wrong.
I can't offhand think of an easy way of telling which script sent a message.
I'll have a think about it, see if I can come up with any suggestions.
One thing to check is to make sure you haven't been hacked, and had
something like a qmail based spambot relay installed. Take a look at a 'ps
-ef' and make sure there's nothing mail related running except the usual
looking 'sendmail' queue runners and dovecot stuff.
> DD
-- hugh