Thanks mmccarn and Stefano-- I hadn't had a chance to test your guys' ideas, but we may have solved it with some excellent help from Darrell May.
we ran the following to investigate changes in the last 30 days.
*Note*Our company webpage runs in the primary ibay and uses coldfusion.
find /home/e-smith/files/ibays –type f -mtime -30 –print
find /opt –type f -mtime -30 –print
here is the most interesting output:
/home/e-smith/files/ibays <--only one change, a legit change on a web page text document announcing a new person.
/opt/wordpress/wp-content/themes/default/archives.php <--edited last thursday>
/opt/wordpress/wp-content/themes/default/search.php <--edited last thursday>
/opt/coldfusion8/ConnectorInstall0.txt
/opt/coldfusion8/wwwroot/WEB-INF/cfform/cache.dep
/opt/coldfusion8/wwwroot/WEB-INF/cfform/logs/flex.log
/opt/coldfusion8/runtime/logs/coldfusion-event.log
/opt/coldfusion8/runtime/lib/wsconfig/wsconfig_1.log
/opt/coldfusion8/runtime/lib/wsconfig/1/jrunserver.store
/opt/coldfusion8/runtime/lib/wsconfig/wsconfig.log
/opt/coldfusion8/logs/application.log/opt/coldfusion8/logs/server.log
/opt/coldfusion8/logs/exception.log
/opt/coldfusion8/logs/cfserver.log
/opt/coldfusion8/logs/eventgateway.log
/opt/coldfusion8/registry/cf.registry
/opt/coldfusion8/lib/neo-document.bak
/opt/coldfusion8/lib/license.properties
/opt/coldfusion8/lib/neo-datasource.xml
/opt/coldfusion8/lib/neo-drivers.bak
/opt/coldfusion8/lib/neo-cron.xml
/opt/coldfusion8/lib/neo-drivers.xml
/opt/coldfusion8/lib/neo-datasource.bak
/opt/coldfusion8/lib/client.properties
/opt/coldfusion8/lib/neo-cron.bak
/opt/coldfusion8/lib/neo-document.xml
/opt/openfire/conf/openfire.xml
/opt/openfire/conf/available-plugins.xml
/opt/openfire/conf/server-update.xml
/opt/openfire/logs/warn_3.log
/opt/openfire/logs/nohup.out
/opt/openfire/logs/info.log
/opt/openfire/logs/warn_2.log
/opt/openfire/logs/warn_4.log
/opt/openfire/logs/warn_1.log
/opt/openfire/logs/warn_5.log
/opt/openfire/logs/error.log
/opt/openfire/logs/warn.log
Interestingly, we don't use wordpress in our sites except for a very old and deprecated "emergency news" page that wasnt much more than a splash screen. It hadn't been updated with content since 2009.
The rest of the files in /opt/wordpress were from 2008 and 2009.
wordpress is owned by rpm
[root@mail webshare]# rpm -qf /opt/wordpress/wp-content/themes/default/archives.php
wordpress-2.6.2-1.el4.sme
I removed wordpress and removed the /opt/wordpress folder.
[root@mail ~]# rpm -e wordpress
error: Failed dependencies:
wordpress is needed by (installed) smeserver-wordpress-1.0-2.el4.sme.noarch
[root@mail ~]# rpm -e smeserver-wordpress-1.0-2.el4.sme.noarch
[root@mail ~]# rpm -e wordpress
[root@mail /]# rm -Rf /opt/wordpress
[root@mail /]# signal-event post-upgrade; signal-event reboot
Unfortunately, before removing wordpress I turned the httpd service back on to see what wordpress content we might have had. When I turned httpd back on I expected qmail to get flooded again, but things stayed quiet. At that point I removed wordpress, so it's possibly too early to tell if wordpress was 100% the issue, and if there are any other compromises.
I will keep an eye on the queue to see if anything untowards happens down the road..
so far so good.
If you guys spot something I've missed or think there is something else for me to do, let me know. I really appreciate you taking the time to help- Thanks again!
now to go about alerting the ISP and other sites that our spam is cleaned up..