Compromised server, help diagnose source

Hi,
my old Ubuntu 12.04 seems being compromised and used as MAIL RELAY or SPAM SOURCE. In mail log see a lot of outgoing (and incoming) mail, but most of them FROM and TO one of ISPConfig web users:

Code:

from=<[email protected]>.........

Now, one very weird thing is, that I do not remember ever setting up SMTP server. I always gave instructions to my WEB customers on this server to use SMTP method of sending mail out, rather than default php sendmail, because it is not configured here for security reasons. But now I can see SMTP process listening on port 25:

Code:

lsof -i:25
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  6989 root   12u  IPv4  21159      0t0  TCP *:smtp (LISTEN)
master  6989 root   13u  IPv6  21160      0t0  TCP *:smtp (LISTEN)
root@myserver:/# ps 6989
  PID TTY      STAT   TIME COMMAND
 6989 ?        Ss     8:45 /usr/lib/postfix/master

Is this the expected location of postfix in /var/lib/postfix directory?
Ok, I blocked port 25 on firewall to prevent being blocked by ISP, but what to look for?
How to find compromised files under user web285?
I am not master of Linux, but still I can copy-paste quite well. Ideas?

 

Of course. 12.04 is too old and has not been in support for more than 3 years.

And about your problem, please do OS upgrade to a supported version before asking for help because any support given may only be really useful if your server OS is fully supported.

 

@till, thank you, very usefull tool, will consider buying if possible. Found a lot of malware, hacked PHP files, injected code...
@ahrasis, no way to update this server. Tried at least twice, spent whole weekend with my hacked Linux geek friend, but too many things were not working, messed up settings, web sites...have over 300 customers there, and this would cause uncontrolable number of phone calls early monday morning...upgrade is no avail.

 

I understand the constraints to upgrade for some but do consider it thoroughly.