Apache Postfix botnet Spam?

[Jayson]

Hello,

I have seen lots of spam in my postfix queue coming from apache with no php script listed.

Jan 30 14:48:09 majestic postfix/qmgr[29260]: D11DEECD1F1: from=<>, size=11154, nrcpt=1 (queue active)
<[email protected]>, relay=none, delay=0, delays=0/0/0/0, dsn=5.0.0, status=bounced (User unknown in virtual alias table)

I can't find what script is responsible for sending it. I have looked through the maillog and access_log (apache) without luck.


Can anyone suggest how to locate an offending script, or perhaps how to block this?

Thank you,

 

[Jayson]

Found it. .81c8.php

 

[Jayson]

31.184.244.18 - - [22/Jan/2013:02:03:28 -0800] "POST /.e13d.php HTTP/1.1" 404 433 "-" "-"
31.184.244.18 - - [22/Jan/2013:02:03:30 -0800] "POST /anon_ftp/.e13d.php HTTP/1.1" 404 442 "-" "-"
31.184.244.18 - - [22/Jan/2013:02:03:36 -0800] "POST /.6645.php HTTP/1.1" 404 433 "-" "-"
31.184.244.18 - - [22/Jan/2013:02:03:38 -0800] "POST /cgi-bin/.6645.php HTTP/1.1" 200 622 "-" "-"
31.184.244.18 - - [22/Jan/2013:02:03:49 -0800] "POST /.81c8.php HTTP/1.1" 200 61434 "-" "-"

31.184.244.18 - - [22/Jan/2013:06:39:30 -0800] "POST /.81c8.php HTTP/1.1" 200 190 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Firefox/11.0"


Is there some way I can prevent this because these log entries don't tell me what actual script was exploited to get this php file on my server.

Regards,