www-data sending spam mail hot to stop this?

Posted July 8, 2015
Email Security Ubuntu

www-data@domain name U=www-data P=local S=2299 2015-07-08 16:34:28 1ZCn9Q-0003u1-SL cram_md5 authenticator failed H=smtp-********* [...] Error: authentication failed: authentication failure 2015-07-08 16:34:29 1ZCn9Q-0003u1-SL => alberto53141@outlook.com Alberto53141@outlook.com R=smarthost T=remote_smtp_smarthost H=smtp***...*.*.auth.iitb.ac.in [10.200.1.125] X=TLS1.0:RSA_AES_256_CBC_SHA1:32 DN="serialNumber=ds1qY45ldiSbrKEu29LdIyx57hEV0mpa,C=IN,ST=----------,L=--------i,O=-----------------,OU=--------------------------------,CN=.domain name" 2015-07-08 16:34:29 1ZCn9Q-0003u1-SL Completed

repeatadely going mails to different idies plz help i am newbie to exim. and linux also

ajitmhatre9

JonsJava • July 8, 2015

One of your scripts on your website has been compromised.

let’s find the culprit. If you started getting this a day ago:

find /var/www/ -mtime -1

This will find all files modified in the last day

Change the “-1” to the number of days this has been going on

Also, try this:

fgrep "base64_decode" /var/www/ -R|grep "eval"

This won’t catch them all, and there will be false positives, but it’s a place to start.

Also, stop postfix until you resolve this issue.

JonsJava • July 8, 2015

One of your scripts on your website has been compromised.

let’s find the culprit. If you started getting this a day ago:

find /var/www/ -mtime -1

This will find all files modified in the last day

Change the “-1” to the number of days this has been going on

Also, try this:

fgrep "base64_decode" /var/www/ -R|grep "eval"

This won’t catch them all, and there will be false positives, but it’s a place to start.

Also, stop postfix until you resolve this issue.

ajitmhatre9 • July 10, 2015

JonsJava any clue ???

ajitmhatre9 • July 9, 2015

thanks JonsJava but in my exim4 logs, i m having logs from 29- jun 2015 to till today. and in this logs showing all the activity above. i will try the above steps

ajitmhatre9 • July 9, 2015

This comment has been deleted

ajitmhatre9 • July 9, 2015

This comment has been deleted

Submit an answer

You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Ryan Quinn • June 7, 2016

This question was answered by @JonsJava:

One of your scripts on your website has been compromised.

let’s find the culprit. If you started getting this a day ago:
find /var/www/ -mtime -1
This will find all files modified in the last day

Change the “-1” to the number of days this has been going on

Also, try this:
fgrep "base64_decode" /var/www/ -R|grep "eval"
This won’t catch them all, and there will be false positives, but it’s a place to start.

Also, stop postfix until you resolve this issue.

View the original comment

Join the DigitalOcean Community

Join 1M+ other developers and:

Get help and share knowledge in Q&A
Subscribe to topics of interest
Get courses & tools that help you grow as a developer or small business owner

How to set up postfix on nginx server to allow WP send emails through outlook.com aka (mail.live.com) via SMTP with TLS auth?

Question

Installing PHP-FPM with Apache2 on Ubuntu 12.10

Question

Join the DigitalOcean Community

Join 1M+ other developers and:

Get help and share knowledge in Q&A
Subscribe to topics of interest
Get courses & tools that help you grow as a developer or small business owner

Related

Question

www-data sending spam mail hot to stop this?

Related