Just looking for some help here, folks.
Apparently, someone has managed to exploit Postfix on this server and the mail queue keeps filling-up with entries like this:
856BD22A97B9* 1202 Fri May 24 10:19:53 email@example.com
is a "fake" email address (the lgvuwak appears to be randomly-generated with each mail sent, and example.com is an actual, legitimate domain whose mail services are hosted on this server).
How is Postfix being exploited and how is this happening?
All the reading I've done indicates that this mail is coming from 127.0.0.1, which is why Postfix allows the mail to be sent (instead of refusing with "relay access denied").
This fact seems consistent with the headers in the queued messages. Here are the contents of one such message:
While this is occurring, I see a lot of activity from external IP addresses when this queue flooding is happening. These IP addresses appear to be Hotmail's. Here's an excerpt:
May 24 10:35:18 serverds postfix/qmgr: 9E7A822A68B5: from=<firstname.lastname@example.org>, size=1586, nrcpt=2 (queue active)
May 24 10:35:18 serverds postfix/error: 9ED8322A52CB: to=<email@example.com>, relay=none, delay=4652, delays=4652/0.02/0/0.01, dsn=4.4.2, status=deferred (delivery temporarily suspended: lost connection with mx1.hotmail.com[188.8.131.52] while sending RCPT TO)
The only way I've been able to stop this is to add drop rules for Hotmail's IP addresses to iptables.
I need to uncover the root source of this exploitation.
The most likely source of mail being sent from 127.0.0.1 seems to be a compromised Web application or site. We host a couple of WordPress sites on this server, and they seem to be the most likely culprit.
Where should I start looking? top/htop doesn't give any clues. All I see his heavy amavis activity. All of the sites on this server run PHP in Fast-CGI mode, with SuExec enabled, so, CPU activity attributable to PHP appears as a unique process in top. But, I don't see particularly heavy CPU activity for any particular website.
Thanks in advance for any help!
P.S. I realize that implementing what I describe in my initial post won't stop this exploitation, if it is in fact coming from a compromised website, but I would still like to know how it's done.