How to track calls to sendmail in qmail?

AOL sent me a spam complaint about spam originating from my server. The headers said:

Received: from lina.aaanime.net (lina.aaanime.net [207.44.196.47]) by rly-yh06.mx.aol.com (v103.7) with ESMTP id MAILRELAYINYH68-7964189dc2f1c4; Thu, 04 Nov 2004 02:37:19 -0500
Received: (qmail 19149 invoked by uid 48); 30 Oct 2004 08:25:40 -0000
Date: 30 Oct 2004 08:25:40 -0000

lina.aaanime.net is my server. It said "invoked by uid 48"; uid 48 is the 'apache' user, so I'm guessing someone is exploiting a bug in a CGI script and using it to call sendmail.

Any idea how I can track down which CGI script is calling sendmail so that I can patch/delete it? I was thinking perhaps I can replace the sendmail executable with something that logs its process tree before calling the real sendmail executable and sending the message?

 

 

 

 

Top