On Tue, 16 Jun 2015 19:08:36 -0700, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
On Tue, Jun 16, 2015 at 06:51:24PM -0700, Jithesh AP wrote:
This is the maillog result of the grep, but i dont see IP address etc
(not
sure if the actual log got deleted when i removed the big log).
Jun 16 13:21:49 ml postfix/pickup[23232]: 0C9B14166A: uid=5005
from=<cdbphlavjop...@wysina.com.tw>
Jun 16 13:21:49 ml postfix/cleanup[20077]: 0C9B14166A:
message-id=<kflvqedfdosxjjhkebewy...@sfilc.com>
This was created locally via the "sendmail" command. What user
account has "uid" 5005? If this is www-data or similar, you likely
have an insecure PHP script that is being exploited to send spam.
Just look for any other log-entries with the same message-id:
kflvqedfdosxjjhkebewy...@sfilc.com
but also do quickly run "getent passwd 5005" and report the results.
spamfilter:x:5005:5005::/usr/local/spamassassin:/bin/false
its user used to run spamassassin. I did open the ports and i saw as soon
as i open port 25 i get the flood and uid used is 5005. Should i change
this user? since it is not related to any www or http, i assume its not
php or anything causing it.
--
Using Opera's mail client: http://www.opera.com/mail/
