formail.pl spamming (strange one)

Hi,

my server recently got hit by a formail.pl spamming attack, so that i
- disabled the script
- configured exim to deny the sender & IP

However, i just logged in due to high loads and saw the "formail.pl" process running again.
Luckily the exim config changes prevented the emails from being sent, but since the process got executed several times, it resulted in high loads.
Further investigation turned out, that the process appears as "formail.pl", but refers to an apache process, which doesn't appear in the apache status, though.
I also searched for the script but to no avail, so my guess was, that the person using it uploaded the script, executed it and removed it again, but then it would have to appear in the transfer logs, which it doesn't as well.

Well, at least the emails don't get sent anymore, but since the script still gets executed (no cron job, btw, checked on that allready) every few minutes/hours it has to be somewhere on the system.

Any ideas, what this could be or how i can trace the process back to the script itself?

Thanks.

 

 

 

 

Top