Postfix Server sending spam

Discussion in 'Server Operation' started by mmidgett, Aug 5, 2013.

  1. mmidgett

    mmidgett Member

    I got a server that went rogue this morning and is hammering away with sending spam. Here is a line from the mail log

    80591B418B0* 115619 Mon Aug 5 16:25:10 [email protected]
    [email protected]

    By looking at this it tells me that the website at ID121 in ispconfig is sending php mail. That is not possible because I have disable_functions = mail in the custom php.ini for that website. After that didnt stop it i removed the website completely from the server. It's still saying its sending email as that website. I've restarted postfix and apache as well as amvis.

    I'm kinda at a loss here, Normally when this happens its a client computer and I can tell from postcat who is sending or by watching the mail log. I'm at a loss and its hammering away and I keep removeing the mail from the Q but I can't do this all night.
  2. kontrabant

    kontrabant New Member

    Probably you have one process running with that ID!
    Use postcat and you will see something like:
    ""envelope-from <[email protected]""

    So user someuser in running script

    look for the running script:
    ps -U someuser

    kill it.

    You could try also:

    And at the end install:
  3. mmidgett

    mmidgett Member

    Thank you for your reply, during the time i was waiting for help I removed the domain from Ispconfig and soon as I did the mails stopped. I had already backed up the site. And as root I tried to remove the web dir and it told me I didn't have permission to do so. I chowned the dir and then removed it but the script still ran till I removed the domain from the CP. It was just strange. I thank you for your help and I will look into the malware scanner. Btw the site was a current release word press site. I told them to use Joomla

Share This Page