Am 25.12.2010 19:55, schrieb ASAI:
Greetings,
In the logs I have been seeing many attempts made to send messages to
gmail which seem like there's spam being sent from my server. In the
logs I see this:
Dec 24 00:05:11 triata amavis[29729]: (29729-06) Passed CLEAN,
<apa...@triata.globalchangemultimedia.net> ->
<ickovjulee...@gmail.com>, Message-ID:
<20101224070510.bf7acfd8...@triata.globalchangemultimedia.net>,
mail_id: s69xqJA1Kuer, Hits: -2.6, size: 669, queued_as: 9F457FD80A9,
898 ms
Dec 24 00:05:11 triata postfix/smtp[1065]: BF7ACFD8063:
to=<ickovjulee...@gmail.com>, relay=127.0.0.1[127.0.0.1]:10024,
delay=1, delays=0.09/0.01/0/0.9, dsn=2.0.0, status=sent (250 2.0.0 Ok:
queued as 9F457FD80A9)
What is a problem is that there is no user named apa...@triata... and
this user is sending hundreds of emails out to Gmail. So it looks
like there's been a compromise. My question is, how do I begin to
plug this hole?
as already told, find the malicious script/form in apache.
maybe start with comparing the apache log timestamps with postfix logs.
you should see a POST at the time when postfix gets the mail from localost.
