1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Apache Postfix botnet Spam?

Discussion in 'Plesk 11.x for Linux' started by Jayson, Jan 30, 2013.

  1. Jayson

    Jayson Basic Pleskian

    26
    23%
    Joined:
    May 10, 2005
    Messages:
    95
    Likes Received:
    0
    Hello,

    I have seen lots of spam in my postfix queue coming from apache with no php script listed.

    Jan 30 14:48:09 majestic postfix/qmgr[29260]: D11DEECD1F1: from=<>, size=11154, nrcpt=1 (queue active)
    <apache@majestic.domain.com>, relay=none, delay=0, delays=0/0/0/0, dsn=5.0.0, status=bounced (User unknown in virtual alias table)

    I can't find what script is responsible for sending it. I have looked through the maillog and access_log (apache) without luck.


    Can anyone suggest how to locate an offending script, or perhaps how to block this?

    Thank you,
     
  2. Jayson

    Jayson Basic Pleskian

    26
    23%
    Joined:
    May 10, 2005
    Messages:
    95
    Likes Received:
    0
    Found it. .81c8.php
     
  3. Jayson

    Jayson Basic Pleskian

    26
    23%
    Joined:
    May 10, 2005
    Messages:
    95
    Likes Received:
    0
    31.184.244.18 - - [22/Jan/2013:02:03:28 -0800] "POST /.e13d.php HTTP/1.1" 404 433 "-" "-"
    31.184.244.18 - - [22/Jan/2013:02:03:30 -0800] "POST /anon_ftp/.e13d.php HTTP/1.1" 404 442 "-" "-"
    31.184.244.18 - - [22/Jan/2013:02:03:36 -0800] "POST /.6645.php HTTP/1.1" 404 433 "-" "-"
    31.184.244.18 - - [22/Jan/2013:02:03:38 -0800] "POST /cgi-bin/.6645.php HTTP/1.1" 200 622 "-" "-"
    31.184.244.18 - - [22/Jan/2013:02:03:49 -0800] "POST /.81c8.php HTTP/1.1" 200 61434 "-" "-"

    31.184.244.18 - - [22/Jan/2013:06:39:30 -0800] "POST /.81c8.php HTTP/1.1" 200 190 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.16) Gecko/20120421 Firefox/11.0"


    Is there some way I can prevent this because these log entries don't tell me what actual script was exploited to get this php file on my server.

    Regards,
     
Loading...