Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 29th July 2013, 15:32
davebamford davebamford is offline
Junior Member
 
Join Date: Jul 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Postfix sending spam and unable to stop it.

Hi
I am running ISPCONFIG3 on a Debian Wheezy server and we had a Joomla website hacked which has resulted in spam going out from a user web53@maggie.backed-up.net (maggie.backed-up.net is the mail server) I have blacklisted this user and disabled it in main.cf
authorized_submit_users = !web53, static:anyone

I cannot find out how the spam is being sent and we are being blacklisted by more and more servers. I have checked for open relay and it OK
Telnet on port 25 gives

root@millhouse:/home/dave# telnet 94.228.42.202 25
Trying 94.228.42.202...
Connected to 94.228.42.202.
Escape character is '^]'.
220 maggie.backed-up.net ESMTP Postfix (Debian/GNU)
ehlo localhost.localdomain
250-maggie.backed-up.net
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Any ideas where I go from here, we have a load of users now not getting emails.

Thanks

Dave
Reply With Quote
Sponsored Links
  #2  
Old 29th July 2013, 16:09
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,474
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
Default

Take a look at the spam emails in postfix queue with postcat command, all recent php versions add a header in the emails that shows the name of the script which called the mail function.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 29th July 2013, 17:06
davebamford davebamford is offline
Junior Member
 
Join Date: Jul 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks I tried postcat on one of the emails in the queue and got

X-PHP-Originating-Script: 5034:k7ybaz.php(1) : eval()'d code

Now searching for this file, but it was probably only temporary.

but it also told me
Postfix, from userid 5034

How do I translate the userid?

Thanks

Dave
Reply With Quote
  #4  
Old 29th July 2013, 17:08
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,474
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
Default

run

grep 5034 /etc/passwd

to get the username and website path.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 29th July 2013, 17:23
davebamford davebamford is offline
Junior Member
 
Join Date: Jul 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks

That pointed back at the user for the web site I thought I had deleted, but stupidly I had only deleted the sym link. Now I have really deleted it after making a copy. Hopefully this will stop it, but emails are still going out so I guess I need to flush the queue somehow.

Regards

Dave
Reply With Quote
  #6  
Old 29th July 2013, 19:38
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,474
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
Default

Here a short script that I use to clean the mailqueue:

Code:
mailq | tail -n +2 | awk 'BEGIN { RS = "" }
# $7=sender, $8=recipient1, $9=recipient2
{ if ($7 == "www-data@somedomain.tld")
print $1 }
' | tr -d '*!' | postsuper -d -
it can be copied to the shell directly.

Replace the email address with the sender address of the spam emails.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 29th July 2013, 20:48
davebamford davebamford is offline
Junior Member
 
Join Date: Jul 2010
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Thanks for the script, I have cleaned out te queue now and things are more or less back to normal. It just shows how important it is to keep joomla up to date.

Regards

Dave
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail server compromised and sending out spam HELP! provell General 6 26th March 2010 02:07
Cannot use SMTP - unable to connect esseclive HOWTO-Related Questions 7 27th December 2007 14:38


All times are GMT +2. The time now is 17:11.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.