Webserver spamming with postfix user www-data

So it’s a bit of a strange header, but i ran into this little problem the day earlier and didn’t find a simple solution online.
Although the solution is quite simple, i was just looking in the wrong place.
So the thing happend that my mailserver was spamming, and i couldn’t locate the source. It seemed that a certain someone/something uploaded a .php file and this file was overloading the server with e-mails.

To get to the bottom, you should look at your mailq and clean it up. My messages were very easy to find, because the sending e-mailadres was: www-data@{server hostname}.com.
After cleaning up the mailq, i started looking trought the logs, which was a mistake.
I finally found out by using this method:
Go to the mailserver, and look inside the mailq

Find a message that looks odd, in my case a message to the domain @workman.co.uk

Now do a postcat -vq on the message. Replacing my messge id with your own ofcource.
-v means verbose, showing all the data
and -q means search the postfix queue instead of a file.
postcat -vq 07581C812E
Below the message contents, you will find a X-PHP-Originating-script line:
regular_text: X-PHP-Originating-Script: 33:match.php

In my case the script sending all the spam was “match.php”
I quickly search the webserver by doing:

And search for the file
locate match.php

The result, was a old Joomla website someon forgot the clean-up.
After deleting the entire joomla website, i did a quick check with rkhunter so i’d know they didn’t do more damage.
rkhunter --check

Everything was fine.

Leave a comment

Your email address will not be published. Required fields are marked *