Thread: [SOLVED] Spam Being Sent Thru Server - Help Needed!
View Single Post
  #11 (permalink)  
Old 08-24-2007, 09:49 AM
msf004 msf004 is offline
Senior Member
  
Posts: 73
Default
Yes, I have been scanning "ps -ef" continually. The only things I find curious are the "/tmp/.swatch_script.19528" entries; however, from other posts that appears to be part of Zimbra - but I cannot say definitely.

Here is the output from ps -eafwww


UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jul27 ? 00:00:02 init [3]
root 2 1 0 Jul27 ? 00:00:10 [migration/0]
root 3 1 0 Jul27 ? 00:00:00 [ksoftirqd/0]
root 4 1 0 Jul27 ? 00:00:10 [migration/1]
root 5 1 0 Jul27 ? 00:00:00 [ksoftirqd/1]
root 6 1 0 Jul27 ? 00:00:00 [events/0]
root 7 1 0 Jul27 ? 00:00:00 [events/1]
root 8 6 0 Jul27 ? 00:00:00 [khelper]
root 9 6 0 Jul27 ? 00:00:00 [kacpid]
root 34 6 0 Jul27 ? 00:00:00 [kblockd/0]
root 35 6 0 Jul27 ? 00:00:00 [kblockd/1]
root 36 1 0 Jul27 ? 00:00:00 [khubd]
root 56 6 0 Jul27 ? 00:00:00 [aio/0]
root 57 6 0 Jul27 ? 00:00:00 [aio/1]
root 55 1 0 Jul27 ? 00:01:12 [kswapd0]
root 201 1 0 Jul27 ? 00:00:00 [kseriod]
root 320 1 0 Jul27 ? 00:00:00 [scsi_eh_0]
root 334 6 0 Jul27 ? 00:00:00 [ata/0]
root 335 6 0 Jul27 ? 00:00:00 [ata/1]
root 339 1 0 Jul27 ? 00:00:00 [scsi_eh_1]
root 340 1 0 Jul27 ? 00:00:00 [scsi_eh_2]
root 350 1 0 Jul27 ? 00:02:56 [kjournald]
root 1629 1 0 Jul27 ? 00:00:00 udevd
root 1914 6 0 Jul27 ? 00:00:00 [kauditd]
root 1980 6 0 Jul27 ? 00:00:00 [kmirrord]
root 2000 1 0 Jul27 ? 00:00:00 [kjournald]
root 2597 1 0 Jul27 ? 00:01:55 syslogd -m 0
root 2601 1 0 Jul27 ? 00:00:00 klogd -x
root 2707 1 0 Jul27 ? 00:00:00 irqbalance
rpc 2731 1 0 Jul27 ? 00:00:00 portmap
root 2862 1 0 Jul27 ? 00:00:00 /usr/sbin/acpid
root 2968 1 0 Jul27 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid
root 3004 1 0 Jul27 ? 00:00:00 gpm -m /dev/input/mice -t exps2
canna 3046 1 0 Jul27 ? 00:00:00 /usr/sbin/cannaserver -syslog -u canna
xfs 3087 1 0 Jul27 ? 00:00:00 xfs -droppriv -daemon
root 3104 1 0 Jul27 ? 00:00:00 /usr/sbin/atd
root 3223 1 0 Jul27 ? 00:00:00 /usr/bin/perl /usr/local/bin/ipalert_statd
root 3228 1 0 Jul27 tty1 00:00:00 /sbin/mingetty tty1
root 3229 1 0 Jul27 tty2 00:00:00 /sbin/mingetty tty2
root 3230 1 0 Jul27 tty3 00:00:00 /sbin/mingetty tty3
root 3231 1 0 Jul27 tty4 00:00:00 /sbin/mingetty tty4
root 3232 1 0 Jul27 tty5 00:00:00 /sbin/mingetty tty5
root 3233 1 0 Jul27 tty6 00:00:00 /sbin/mingetty tty6
root 3234 1 0 Jul27 ttyS0 00:00:00 /sbin/mingetty ttyS0 CON9600 vt102
root 4903 1 0 Jul28 ? 00:00:00 rhnsd --interval 240
rpcuser 20578 1 0 Jul28 ? 00:00:00 rpc.statd
root 22097 1 0 Jul28 ? 00:00:00 [krfcommd]
dbus 22162 1 0 Jul28 ? 00:00:00 dbus-daemon-1 --system
root 22284 1 0 Jul28 ? 00:00:00 hald
htt 22411 1 0 Jul28 ? 00:00:00 /usr/sbin/htt -retryonerror 0
htt 22412 22411 0 Jul28 ? 00:00:00 htt_server -nodaemon
root 22531 1 0 Jul28 ? 00:00:00 rpc.idmapd
root 22591 1 0 Jul28 ? 00:00:21 /usr/sbin/sshd
root 22669 1 0 Jul28 ? 00:00:02 crond
root 23103 1 0 Jul28 ? 00:00:00 sh -c /usr/bin/perl -Iblib/lib -Iblib/arch -I/usr/lib/perl5/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/5.8.5 -I/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.5 -I/usr/lib/perl5/site_perl/5.8.4 -I/usr/lib/perl5/site_perl/5.8.3 -I/usr/lib/perl5/site_perl/5.8.2 -I/usr/lib/perl5/site_perl/5.8.1 -I/usr/lib/perl5/site_perl/5.8.0 -I/usr/lib/perl5/site_perl -I/usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.5 -I/usr/lib/perl5/vendor_perl/5.8.4 -I/usr/lib/perl5/vendor_perl/5.8.3 -I/usr/lib/perl5/vendor_perl/5.8.2 -I/usr/lib/perl5/vendor_perl/5.8.1 -I/usr/lib/perl5/vendor_perl/5.8.0 -I/usr/lib/perl5/vendor_perl -I. examples/sslecho.pl 1212 examples/cert.pem examples/key.pem >>sslecho.log 2>&1
root 23104 23103 0 Jul28 ? 00:00:00 /usr/bin/perl -Iblib/lib -Iblib/arch -I/usr/lib/perl5/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/5.8.5 -I/usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/site_perl/5.8.5 -I/usr/lib/perl5/site_perl/5.8.4 -I/usr/lib/perl5/site_perl/5.8.3 -I/usr/lib/perl5/site_perl/5.8.2 -I/usr/lib/perl5/site_perl/5.8.1 -I/usr/lib/perl5/site_perl/5.8.0 -I/usr/lib/perl5/site_perl -I/usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.4/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi -I/usr/lib/perl5/vendor_perl/5.8.5 -I/usr/lib/perl5/vendor_perl/5.8.4 -I/usr/lib/perl5/vendor_perl/5.8.3 -I/usr/lib/perl5/vendor_perl/5.8.2 -I/usr/lib/perl5/vendor_perl/5.8.1 -I/usr/lib/perl5/vendor_perl/5.8.0 -I/usr/lib/perl5/vendor_perl -I. examples/sslecho.pl 1212 examples/cert.pem examples/key.pem
root 3730 1 0 Aug02 ? 00:00:03 /usr/sbin/httpd
zimbra 19528 1 0 Aug02 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
root 13023 6 0 Aug05 ? 00:00:09 [pdflush]
root 13031 6 0 Aug05 ? 00:00:00 [pdflush]
zimbra 13885 19528 0 Aug11 ? 00:00:31 /usr/bin/perl /tmp/.swatch_script.19528
zimbra 13928 13885 0 Aug11 ? 00:04:40 /usr/bin/perl /opt/zimbra/libexec/zmlogger
zimbra 26236 1 0 Aug12 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
zimbra 26278 26236 0 Aug21 ? 00:00:13 /usr/bin/perl /tmp/.swatch_script.26236
zimbra 26303 26278 0 Aug21 ? 00:01:31 /usr/bin/perl /opt/zimbra/libexec/zmlogger
root 21034 1 0 Aug23 ? 00:00:00 cupsd
root 29445 22591 0 Aug23 ? 00:00:00 sshd: marcsf [priv]
marcsf 29447 29445 0 Aug23 ? 00:00:00 sshd: marcsf@pts/3
marcsf 29448 29447 0 Aug23 pts/3 00:00:00 -bash
root 29846 29448 0 Aug23 pts/3 00:00:00 su -
root 29848 29846 0 Aug23 pts/3 00:00:00 -bash
zimbra 4001 1 0 00:02 ? 00:00:11 /opt/zimbra/openldap/libexec/slapd -l LOCAL0 -4 -u zimbra -h ldap://server.domain.net:389 -f /opt/zimbra/conf/slapd.conf
zimbra 4400 1 0 00:02 ? 00:00:00 /bin/sh /opt/zimbra/logger/mysql/bin/mysqld_safe --defaults-file=/opt/zimbra/conf/my.logger.cnf --ledir=/opt/zimbra/logger/mysql/libexec
zimbra 4468 4400 0 00:02 ? 00:01:35 /opt/zimbra/logger/mysql/libexec/mysqld --defaults-file=/opt/zimbra/conf/my.logger.cnf --basedir=/opt/zimbra/logger/mysql --datadir=/opt/zimbra/logger/db/data --pid-file=/opt/zimbra/logger/db/mysql.pid --skip-external-locking --port=7307 --socket=/opt/zimbra/logger/db/mysql.sock
zimbra 4469 1 0 00:02 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/logswatch --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
zimbra 4883 1 0 00:03 ? 00:00:18 /usr/bin/perl /opt/zimbra/libexec/zmmtaconfig
zimbra 4906 1 0 00:03 ? 00:00:00 /bin/sh /opt/zimbra/mysql/bin/mysqld_safe --defaults-file=/opt/zimbra/conf/my.cnf --ledir=/opt/zimbra/mysql/libexec
zimbra 4978 1 0 00:03 ? 00:00:00 /usr/bin/perl -w /opt/zimbra/libexec/zmconvertdmon -c /opt/zimbra/libexec/zmconvertd
zimbra 5012 4906 0 00:03 ? 00:00:14 /opt/zimbra/mysql/libexec/mysqld --defaults-file=/opt/zimbra/conf/my.cnf --basedir=/opt/zimbra/mysql --datadir=/opt/zimbra/db/data --pid-file=/opt/zimbra/db/mysql.pid --skip-external-locking --port=7306 --socket=/opt/zimbra/db/mysql.sock
zimbra 5169 1 0 00:03 ? 00:00:04 /opt/zimbra/java/bin/java -client -Xmx256m -Dzimbra.home=/opt/zimbra -Djava.library.path=/opt/zimbra/lib -Djava.ext.dirs=/opt/zimbra/java/jre/lib/ext:/opt/zimbra/lib/jars:/opt/zimbra/lib/ext:/opt/zimbra/lib/ext/backup:/opt/zimbra/lib/ext/clamscanner:/opt/zimbra/lib/ext/network:/opt/zimbra/lib/ext/zimbra-license:/opt/zimbra/lib/ext/zimbrahsm:/opt/zimbra/lib/ext/zimbrasync -Djava.awt.headless=true -Djava.library.path=/opt/zimbra/verity/FilterSDK/bin:/opt/zimbra/verity/ExportSDK/bin com.zimbra.cs.convertd.TransformationServer
root 5726 1 0 00:03 ? 00:00:00 /opt/zimbra/libexec/zmtomcatmgr start -Xms806m -Xmx806m -client -XX:NewRatio=2 -Djava.awt.headless=true
zimbra 5727 5726 0 00:03 ? 00:00:45 /opt/zimbra/jdk1.5.0_08/bin/java -Xms806m -Xmx806m -client -XX:NewRatio=2 -Djava.awt.headless=true -Dcatalina.base=/opt/zimbra/apache-tomcat-5.5.15 -Dcatalina.home=/opt/zimbra/apache-tomcat-5.5.15 -Djava.io.tmpdir=/opt/zimbra/apache-tomcat-5.5.15/temp -Djava.library.path=/opt/zimbra/lib -Djava.endorsed.dirs=/opt/zimbra/apache-tomcat-5.5.15/common/endorsed -classpath /opt/zimbra/apache-tomcat-5.5.15/bin/bootstrap.jar:/opt/zimbra/apache-tomcat-5.5.15/bin/commons-logging-api.jar:/opt/zimbra/lib/jars/zimbra-launcher.jar com.zimbra.cs.launcher.TomcatLauncher
zimbra 5973 1 0 00:03 ? 00:00:00 /usr/bin/perl /opt/zimbra/libexec/swatch --config-file=/opt/zimbra/conf/swatchrc --use-cpan-file-tail --script-dir=/tmp -t /var/log/zimbra.log
zimbra 6016 1 1 00:03 ? 00:06:25 /opt/zimbra/clamav/sbin/clamd --config-file /opt/zimbra/conf/clamd.conf
zimbra 6017 1 0 00:03 ? 00:00:00 /opt/zimbra/clamav/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf -d --checks=12
zimbra 6019 1 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6021 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6022 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6023 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6025 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 6026 6019 0 00:03 ? 00:00:00 /opt/zimbra/httpd-2.0.54/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
root 6160 1 0 00:03 ? 00:00:05 /opt/zimbra/postfix-2.2.9/libexec/master
postfix 6169 6160 0 00:03 ? 00:00:00 qmgr -l -t fifo -u
zimbra 6208 1 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6219 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6220 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6222 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6223 6208 0 00:03 ? 00:00:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
zimbra 6239 1 0 00:03 ? 00:00:00 amavisd (master)
postfix 6255 6160 0 00:03 ? 00:00:00 tlsmgr -l -t unix -u
postfix 7146 6160 0 00:06 ? 00:00:01 anvil -l -t unix -u
apache 31560 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31561 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31562 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31563 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31564 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31565 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31566 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
apache 31567 3730 0 01:13 ? 00:00:00 /usr/sbin/httpd
postfix 8320 6160 0 03:43 ? 00:00:04 trivial-rewrite -n rewrite -t unix -u
zimbra 12596 5973 0 04:03 ? 00:00:00 /usr/bin/perl /tmp/.swatch_script.5973
zimbra 12597 4469 0 04:03 ? 00:00:00 /usr/bin/perl /tmp/.swatch_script.4469
zimbra 12612 12597 0 04:03 ? 00:00:08 /usr/bin/perl /opt/zimbra/libexec/zmlogger
apache 29625 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
apache 29626 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
apache 29627 3730 0 06:45 ? 00:00:00 /usr/sbin/httpd
apache 29826 3730 0 06:46 ? 00:00:00 /usr/sbin/httpd
zimbra 25488 6239 0 08:10 ? 00:00:02 amavisd (ch9-avail)
zimbra 27672 6239 0 08:21 ? 00:00:01 amavisd (ch7-avail)
zimbra 28647 6239 0 08:27 ? 00:00:01 amavisd (ch7-avail)
zimbra 28655 6239 0 08:27 ? 00:00:02 amavisd (ch8-avail)
zimbra 13917 6239 0 09:24 ? 00:00:01 amavisd (ch5-avail)
zimbra 20252 6239 0 09:56 ? 00:00:00 amavisd (ch3-avail)
root 20347 29848 0 09:56 pts/3 00:00:00 tail -f zimbra.log
root 20348 29848 0 09:56 pts/3 00:00:00 grep nrcpt
postfix 21611 6160 0 10:03 ? 00:00:00 pickup -l -t fifo -u
zimbra 29235 6239 0 10:13 ? 00:00:00 amavisd (ch2-avail)
zimbra 29615 6239 0 10:14 ? 00:00:00 amavisd (ch3-avail)
zimbra 29834 6239 0 10:16 ? 00:00:01 amavisd (ch2-avail)
apache 30018 3730 0 10:17 ? 00:00:00 /usr/sbin/httpd
apache 30019 3730 0 10:17 ? 00:00:00 /usr/sbin/httpd
postfix 30868 6160 0 10:21 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 31264 6160 0 10:22 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 31270 6160 0 10:23 ? 00:00:00 smtpd -n smtp -t inet -u
zimbra 31475 6239 0 10:24 ? 00:00:00 amavisd (virgin child)
postfix 31661 6160 0 10:25 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 31864 6160 0 10:26 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 32037 6160 0 10:27 ? 00:00:00 smtpd -n smtp -t inet -u
postfix 32040 6160 0 10:27 ? 00:00:00 cleanup -z -t unix -u
postfix 32041 6160 0 10:27 ? 00:00:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout 1200 -o smtp_send_xforward_command yes -o disable_dns_lookups yes -o max_use 20
postfix 32044 6160 0 10:27 ? 00:00:00 smtpd -n 127.0.0.1:10025 -t inet -u -o content_filter -o local_recipient_maps -o virtual_mailbox_maps -o virtual_alias_maps -o relay_recipient_maps -o smtpd_restriction_classes -o smtpd_delay_reject no -o smtpd_client_restrictions permit_mynetworks,reject -o smtpd_helo_restrictions -o smtpd_sender_restrictions -o smtpd_recipient_restrictions permit_mynetworks,reject -o mynetworks_style host -o mynetworks 127.0.0.0/8 -o strict_rfc821_envelopes yes -o smtpd_error_sleep_time 0 -o smtpd_soft_error_limit 1001 -o smtpd_hard_error_limit 1000 -o smtpd_client_connection_count_limit 0 -o smtpd_client_connection_rate_limit 0 -o receive_override_options no_header_body_checks,no_unknown_recipient_checks, no_address_mappings
zimbra 32049 5169 0 10:27 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 12 0
zimbra 32050 5169 0 10:27 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 14 0
postfix 32434 6160 0 10:29 ? 00:00:00 lmtp -t unix -u
zimbra 32439 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 16 0
zimbra 32440 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 18 0
zimbra 32444 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 20 0
zimbra 32445 5169 0 10:29 ? 00:00:00 /opt/zimbra/verity/FilterSDK/bin/kvoop 9 22 0
zimbra 463 694 0 10:31 pts/4 00:00:00 ps -eafwww
Reply With Quote