Question

www-data sending spam mail hot to stop this?

www-data@domain name U=www-data P=local S=2299 2015-07-08 16:34:28 1ZCn9Q-0003u1-SL cram_md5 authenticator failed H=smtp-********* [...] Error: authentication failed: authentication failure 2015-07-08 16:34:29 1ZCn9Q-0003u1-SL => alberto53141@outlook.com Alberto53141@outlook.com R=smarthost T=remote_smtp_smarthost H=smtp***...*.*.auth.iitb.ac.in [10.200.1.125] X=TLS1.0:RSA_AES_256_CBC_SHA1:32 DN="serialNumber=ds1qY45ldiSbrKEu29LdIyx57hEV0mpa,C=IN,ST=----------,L=--------i,O=-----------------,OU=--------------------------------,CN=.domain name" 2015-07-08 16:34:29 1ZCn9Q-0003u1-SL Completed

repeatadely going mails to different idies plz help i am newbie to exim. and linux also

Subscribe
Share

One of your scripts on your website has been compromised.

let’s find the culprit. If you started getting this a day ago:

find /var/www/ -mtime -1

This will find all files modified in the last day

Change the “-1” to the number of days this has been going on

Also, try this:

fgrep "base64_decode" /var/www/ -R|grep "eval"

This won’t catch them all, and there will be false positives, but it’s a place to start.

Also, stop postfix until you resolve this issue.

One of your scripts on your website has been compromised.

let’s find the culprit. If you started getting this a day ago:

find /var/www/ -mtime -1

This will find all files modified in the last day

Change the “-1” to the number of days this has been going on

Also, try this:

fgrep "base64_decode" /var/www/ -R|grep "eval"

This won’t catch them all, and there will be false positives, but it’s a place to start.

Also, stop postfix until you resolve this issue.

JonsJava any clue ???

thanks JonsJava but in my exim4 logs, i m having logs from 29- jun 2015 to till today. and in this logs showing all the activity above. i will try the above steps

This comment has been deleted

This comment has been deleted


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

This question was answered by @JonsJava:

One of your scripts on your website has been compromised.

let’s find the culprit. If you started getting this a day ago:

find /var/www/ -mtime -1

This will find all files modified in the last day

Change the “-1” to the number of days this has been going on

Also, try this:

fgrep "base64_decode" /var/www/ -R|grep "eval"

This won’t catch them all, and there will be false positives, but it’s a place to start.

Also, stop postfix until you resolve this issue.

View the original comment