How to find out which code is using Sendmail?

Question

We are having some unknown code (virus?) sending out thousands of mails from our server suddenly and though we think we have removed the corresponding malicious PHP file, the mails are still getting sent out.

How can I find out which code is sending out the mails? I tried looking under /var/log/maillog but no pointers there. Any other way of finding it out?

We are using CentOS distro.

Answer 1

The malicious code was in Wordpress DB and associated PHP files, every time site was getting loaded - it was called with call to header PHP. We cleaned the site and fresh install fixed the problem. I had already checked crontab and there was no infected code there. Thanks for all the pointers.

Answer 2

The fact that you have removed the corresponding PHP file doesn't mean that that file didn't manage to make copies of itself elsewhere on your system. If you say that these emails are being sent continuously, ie. this was not a single occurance, then it is possible that the script has somehow infiltrated your crontab files and is calling itself periodically.

Take a look at your crontab file for each user (including root) on your system. Make sure to inspect any script the crontab is executing no matter how innocent it looks.

---

Another option would be an .htaccess file executing a certain script when presented with a specific URL. One could easily hide the execution of a script in this way. Inspect all .htaccess files for strange rules that you have no record of...

---

Hopefully one or more of these options will shed some light on where these emails are being sent from...