Postfix sending spam from www-data help
Jan 24 09:05:50 li51-89 postfix/qmgr[2971]: 278C6C499: from=<www-data@####.members.linode.com>, size=600, nrcpt=1 (queue active)
278C6C499: to=<luke.debettencourt@law.com>, relay=none, delay=185184, delays=185184/0/0.05/0, dsn=4.4.1, status=deferred (connect to law.com[12.170.132.211]:25: Connection refused)</luke.debettencourt@law.com></www-data@####.members.linode.com>
There are a lot of these emails, all to different addresses and I'd like to stop them. I'm fairly certain that my postfix configuration prevents relaying, so somehow these messages are originating from within my host.
User www-data runs apache2. I'm hosting a few php/mysql enabled sites such as joomla, and gallery2. They are both updated to the most recent version. I've also shutdown apache, and there are no remaining process running for user www-data when I do.
I should also mention that I'm running Debian stable and it's up to date. I checked the access logs, and nobody has gained shell access. ssh is fairly locked down, (no root login, passwords disabled - key auth only)
Any help would be greatly appreciated, I'm not sure where to start.
3 Replies
Joomla and drupal have both been notorious for having holes like this and at my job we see this all the time.
Look through your apache logs….