Update: It’s worse than I thought. I assumed that there was a vulnerability in html2text.php that allowed them to send email, but no, they used a vulnerability in html2text.php to download malicious code, and install something called “mock” in /tmp/.m and a script called “c” in /tmp/send. There were several copies of “c” running just now, when I ssh’ed in from my Treo to delete the files, kill the processes, and restart Apache. This is the first time I’d had malicious code installed on my system in over 15 years of running Linux. I feel so dirty.
As I was getting ready for bed, I chanced to look at my mail queue on munin, only to discover that some time yesterday, my outgoing mail queue was up to over 2500 messages, which is 10 times higher than I’ve ever seen it before. Oh oh, must be a spam run, I thought. It was worse than I thought – it wasn’t blowback from spam being sent out in my name, it was OUTGOING.
It took the last half an hour to find the culprit – RoundCube web mail that I installed soon after I started work at Paychex because I couldn’t ssh home to read my mail with mutt. I don’t know if I missed a patch or what, but there were a whole bunch of hits on “POST /webmail//bin/html2text.php”. I’ve removed it. I guess I’m in the market for a good secure web mail system again.
Hopefully I didn’t get marked as a spammer on too many sites.