www-data sending spam mail hot to stop this?

July 8, 2015 3.1k views
Email Security Ubuntu

www-data@domain name U=www-data P=local S=2299
2015-07-08 16:34:28 1ZCn9Q-0003u1-SL crammd5 authenticator failed H=smtp-********* [...] Error: authentication failed: authentication failure
2015-07-08 16:34:29 1ZCn9Q-0003u1-SL => alberto53141@outlook.com Alberto53141@outlook.com R=smarthost T=remote
smtpsmarthost H=smtp.....auth.iitb.ac.in [10.200.1.125] X=TLS1.0:RSAAES256CBC_SHA1:32 DN="serialNumber=ds1qY45ldiSbrKEu29LdIyx57hEV0mpa,C=IN,ST=----------,L=--------i,O=-----------------,OU=--------------------------------,CN=*.domain name"
2015-07-08 16:34:29 1ZCn9Q-0003u1-SL Completed

repeatadely going mails to different idies plz help i am newbie to exim. and linux also

3 comments
  • One of your scripts on your website has been compromised.

    let's find the culprit. If you started getting this a day ago:

    find /var/www/ -mtime -1
    

    This will find all files modified in the last day

    Change the "-1" to the number of days this has been going on

    Also, try this:

    fgrep "base64_decode" /var/www/ -R|grep "eval"
    

    This won't catch them all, and there will be false positives, but it's a place to start.

    Also, stop postfix until you resolve this issue.

  • thanks JonsJava but in my exim4 logs, i m having logs from 29- jun 2015 to till today.
    and in this logs showing all the activity above. i will try the above steps

  • JonsJava any clue ?????

1 Answer

This question was answered by @JonsJava:

One of your scripts on your website has been compromised.

let's find the culprit. If you started getting this a day ago:

find /var/www/ -mtime -1

This will find all files modified in the last day

Change the "-1" to the number of days this has been going on

Also, try this:

fgrep "base64_decode" /var/www/ -R|grep "eval"

This won't catch them all, and there will be false positives, but it's a place to start.

Also, stop postfix until you resolve this issue.

View the original comment

Have another answer? Share your knowledge.