I run my own site, and I do have postfix, apache, wordpress, and moinmoin installed. www-data is sending 100s of emails a minute. Either wordpress or moinmoin is compromised? How do I debug to find out where is the problem?
I'm watching the mail.log and I see a lot of "emails" being sent from my domain to other sites.
hotmail.com, yahoo,
mac.com,....etc
Looking at the logs I initially thought my postfix
main.cf was setup incorrectly, but after verifying and testing everything I confirmed it was just fine. I then looked at syslog and I found that UID 33 was sending all these emails. UID33 is www-data. This makes me believe either wordpress or moinmoin was compromised, or somehow it allows emails to be sent to "
you@yahoo.com" from "
famename@mydomain.com".
One way I could fix it is to block/reject any emails from www-data user, or add senders restrictions to check "mail from" to see if its valid. While this would be fine, the problem is still there. Either wordpress or moinmoin on debian wheezy is compromised and can be used to send out 1000s of spam emails.
What can I do to find out "which part of the code" is calling the sendmail, or postfx pickup program?
Dec 11 20:51:22 myserver postfix/pickup[15547]: A9C91AE012: uid=33 from=<
joanne_mccall@mydomain.com>
....
Dec 11 20:52:05 myserver postfix/pickup[15547]: B2972AE030: uid=33 from=<
pam_hendrix@mydomain.com>
Dec 11 20:52:05 myserver postfix/cleanup[17248]: B2972AE030: message-id=<
20131212025205.B2972AE030@mydomain.com>
Dec 11 20:52:06 myserver postfix/qmgr[31735]: B2972AE030: from=<
pam_hendrix@mydomain.com>, size=678, nrcpt=1 (queue active)
I've increased the debug mode for postfix, but it does not generate any usefull info other then what I know already.