Postfix sending spam from www-data help

Hi, my postfix appears to be hijacked and is sending spam. Here is an example from the /var/logs/mail.log

Jan 24 09:05:50 li51-89 postfix/qmgr[2971]: 278C6C499: from=<www-data@####.members.linode.com>, size=600, nrcpt=1 (queue active)

 278C6C499: to=<luke.debettencourt@law.com>, relay=none, delay=185184, delays=185184/0/0.05/0, dsn=4.4.1, status=deferred (connect to law.com[12.170.132.211]:25: Connection refused)</luke.debettencourt@law.com></www-data@####.members.linode.com>

There are a lot of these emails, all to different addresses and I'd like to stop them. I'm fairly certain that my postfix configuration prevents relaying, so somehow these messages are originating from within my host.

User www-data runs apache2. I'm hosting a few php/mysql enabled sites such as joomla, and gallery2. They are both updated to the most recent version. I've also shutdown apache, and there are no remaining process running for user www-data when I do.

I should also mention that I'm running Debian stable and it's up to date. I checked the access logs, and nobody has gained shell access. ssh is fairly locked down, (no root login, passwords disabled - key auth only)

Any help would be greatly appreciated, I'm not sure where to start.

3 Replies

You're probably running a forum or something with weak bot protection on signups.

Long and short, someone is using a webapp to mail through your box.

Joomla and drupal have both been notorious for having holes like this and at my job we see this all the time.

Look through your apache logs….

I think I tracked the problem down to an old OScommerce site that I was running. Forgot to mention it earlier, slipped my mind. Anyways, I've disabled the OScommerce site and the problem seems to have stopped. Thanks for verifying that it was a webapp problem and not postfix settings.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct