Linode Forum
https://forum.linode.com/

Postfix sending spam from www-data help
https://forum.linode.com/viewtopic.php?f=11&t=5122		 Page 1 of 1
Author:  lenzenmi [ Thu Jan 28, 2010 11:25 am ]
Post subject:  Postfix sending spam from www-data help
Hi, my postfix appears to be hijacked and is sending spam. Here is an example from the /var/logs/mail.log

Code:
Jan 24 09:05:50 li51-89 postfix/qmgr[2971]: 278C6C499: from=<www-data@####.members.linode.com>, size=600, nrcpt=1 (queue active)

 278C6C499: to=<luke.debettencourt@law.com>, relay=none, delay=185184, delays=185184/0/0.05/0, dsn=4.4.1, status=deferred (connect to law.com[12.170.132.211]:25: Connection refused)


There are a lot of these emails, all to different addresses and I'd like to stop them. I'm fairly certain that my postfix configuration prevents relaying, so somehow these messages are originating from within my host.

User www-data runs apache2. I'm hosting a few php/mysql enabled sites such as joomla, and gallery2. They are both updated to the most recent version. I've also shutdown apache, and there are no remaining process running for user www-data when I do.

I should also mention that I'm running Debian stable and it's up to date. I checked the access logs, and nobody has gained shell access. ssh is fairly locked down, (no root login, passwords disabled - key auth only)

Any help would be greatly appreciated, I'm not sure where to start.
Author:  Alucard [ Thu Jan 28, 2010 12:26 pm ]
Post subject: 
You're probably running a forum or something with weak bot protection on signups.
Author:  bezerker [ Tue Feb 02, 2010 4:25 pm ]
Post subject: 
Long and short, someone is using a webapp to mail through your box.

Joomla and drupal have both been notorious for having holes like this and at my job we see this all the time.

Look through your apache logs....
Author:  lenzenmi [ Wed Feb 03, 2010 2:15 pm ]
Post subject: 
I think I tracked the problem down to an old OScommerce site that I was running. Forgot to mention it earlier, slipped my mind. Anyways, I've disabled the OScommerce site and the problem seems to have stopped. Thanks for verifying that it was a webapp problem and not postfix settings.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/