Home / server / Questions / 783580
In Process
Miloš Đakonović
Asked: 2016-06-14 00:20:33 +0800 CST

Find out exactly what (which php script) is trying to send spam from server

  • 772

Last night my server was compromised (I guess - one of outdated PHP CMS's) and many spam messages were sent. I have restricted access to Postfix (via authorized_submit_users directive in main.cf) which resulted in successful damage control - now sending of spam is prevented and I get enteries like:

Jun 13 10:12:16 aurora postfix/sendmail[11715]: fatal: User www-data(33) is not allowed to submit mail
Jun 13 10:12:16 aurora postfix/sendmail[11717]: fatal: User www-data(33) is not allowed to submit mail
Jun 13 10:12:17 aurora postfix/sendmail[11719]: fatal: User www-data(33) is not allowed to submit mail
Jun 13 10:12:18 aurora postfix/sendmail[11721]: fatal: User www-data(33) is not allowed to submit mail
Jun 13 10:12:19 aurora postfix/sendmail[11723]: fatal: User www-data(33) is not allowed to submit mail

My question is - what to do to find script that is trying to abuse my Postfix server - is there a way for Postfix to tell me what is triggering command on local system?

I cannot keep web server user (www-data) away from option to send emails forever.

security smtp postfix sendmail

2 Answers

  1. Did you check web log? Try to look process with ps to identify process which sending spam. Maybe you can catch it there.

    Second, maybe spammer periodically send by crontab, check every crontab in your system to identified the bogus script.

    Сheck one of the email with postcat to see which script tries to send them: postcat /var/spool/postfix/deferred/1/{$mail-id}

    • 1

  2. The question you might want to ask yourself, is what is the benefit in knowing what script sent the email? Certainly you should be looking to fix your security, but the exploit is not the same thing as the vulnerability - there are multiple things an attacker might do with your system, not just sending email. So really your focus should be on fixing the vunerability. But I'll play along for now....

    what to do to find script

    Most likely it'll be the one containing a call to the mail or fsockopen functions. Although it could also have been sent by one of the exec functions. Conceivably it could have been sent by a call to preg_replace with the 'e' modifier.

    If it were me, I would start by attempting to match the mail log entries with the webserver access_log to try to identify the URLs which may have resulted in the emails being sent.

    • 0