UCE Being Sent Using www-data (Help Me Stop This)

Discussion in 'Server Operation' started by giganet, Jun 2, 2009.

  1. giganet

    giganet New Member

    Hello group

    For some time now SPAMMERS have been utilizing the Apache2 usr/grp name www-data to send SPAM/UCE which I get penalized for by Verizon Business my primary bandwidth provider.

    This appears to be a vulnerability within Apache??

    At either rate I have been searching Online trying to find a solution but am failing to this point.

    How would I go about disabling the Apache2 usr/grp 'www-data' from being able to send E-Mail from my server?

    I have read about how some people are changing the usr/grp name within Apache2 but I am unsure if I should pursue this option...

    Thanking you in advance for your help with this

    Best Regards
  2. Zotter

    Zotter New Member


    Stop the spread of whatever - isolate it and eliminate possible threats to others.

    Then, you need to identify how it has been compromised or at least prove that it hasn't been. Appearances, from my perspective, say it has. Or, you've some basic and easily exploitable service mis-configured. Either way - it's up to you to identify what and how to fix it, later.

    Once you've identified HOW, you have to clean it all up. Don't forget - just fixing what you have found, doesn't mean you got it all. Backup your data and settings and wipe the box to factory null - then re-install everything from known sterile media. Once compromised, there is no sure way to *know* you've fixed things and you're not still compromised - short of a clean install from known sterile media.

    Anything short of that is a 'band-aid'.

    Now that you've a clean server - and *know* it's clean - use what you learned in how it was first compromised to harden it against similar, future attacks. Spread the word and share your painfully gained knowledge so others can defend or prevent similar issues.

    Some other discussions that may be helpful:


    And more - search on 'Apache Security', 'my servers been hacked' and the like.

Share This Page