Identifying the source of an SMTP process

Question

Wonder if someone would be able to give me a bit of advice on identifying the source of a potentially dodgy process running on a Linux VPS I have provisioned.

Had a security breach earlier this week with some nasty files being dropped into the /tmp directory. Been keeping an eye on the processes running on the server, and while I was able to find the source of some of them using the process ID and the command

ls -l /proc/<PID>/cwd

there are also loads of SMTP processes running all the time which just don't feel like they should be running. This is the kind of thing I'm talking about

postfix  22808  0.0  0.1  44320  4344 ?        S    16:45   0:00 smtp -t unix -u -c
postfix  22815  0.0  0.1  44320  4356 ?        S    16:45   0:00 smtp -t unix -u -c
postfix  22819  0.0  0.1  44320  4280 ?        S    16:45   0:00 smtp -t unix -u -c
postfix  22823  0.0  0.1  44320  4384 ?        S    16:45   0:00 smtp -t unix -u -c
postfix  22827  0.0  0.1  44320  4276 ?        S    16:45   0:00 smtp -t unix -u -c
postfix  22831  0.0  0.1  44320  4416 ?        S    16:45   0:00 smtp -t unix -u -c

How can I tell what these are, where they are being fired etc.

Thanks

Answer 1

I also discovered the same commands being run on my (Ubuntu 14.04) laptop, though far fewer and less frequent.

I discovered this was postfix periodically retrying delivering mail that had failed to send when I was experimenting with the sendmail command months ago.

I was able to view the mail queue using the command postqueue -p (manpage here) to find out the destination email addresses of the messages. Then, I deleted all messages in the queue using sudo postsuper -d ALL.