On Tue, Jun 16, 2015 at 06:51:24PM -0700, Jithesh AP wrote:
> This is the maillog result of the grep, but i dont see IP address etc (not
> sure if the actual log got deleted when i removed the big log).
>
> Jun 16 13:21:49 ml postfix/pickup[23232]: 0C9B14166A: uid=5005
> from=<cdbphlavjop...@wysina.com.tw>
> Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A:
> message-id=<kflvqedfdosxjjhkebewy...@sfilc.com>
This was created locally via the "sendmail" command. What user
account has "uid" 5005? If this is www-data or similar, you likely
have an insecure PHP script that is being exploited to send spam.
Just look for any other log-entries with the same message-id:
kflvqedfdosxjjhkebewy...@sfilc.com
but also do quickly run "getent passwd 5005" and report the results.
--
Viktor.
