Hi, my old Ubuntu 12.04 seems being compromised and used as MAIL RELAY or SPAM SOURCE. In mail log see a lot of outgoing (and incoming) mail, but most of them FROM and TO one of ISPConfig web users: Code: from=<[email protected]>......... Now, one very weird thing is, that I do not remember ever setting up SMTP server. I always gave instructions to my WEB customers on this server to use SMTP method of sending mail out, rather than default php sendmail, because it is not configured here for security reasons. But now I can see SMTP process listening on port 25: Code: lsof -i:25 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME master 6989 root 12u IPv4 21159 0t0 TCP *:smtp (LISTEN) master 6989 root 13u IPv6 21160 0t0 TCP *:smtp (LISTEN) [email protected]:/# ps 6989 PID TTY STAT TIME COMMAND 6989 ? Ss 8:45 /usr/lib/postfix/master Is this the expected location of postfix in /var/lib/postfix directory? Ok, I blocked port 25 on firewall to prevent being blocked by ISP, but what to look for? How to find compromised files under user web285? I am not master of Linux, but still I can copy-paste quite well. Ideas?