You are here
kogh - Fri, 2017/01/13 - 11:12
Hi I have a TurnkeyLinux server joomla25 3.2.0-4-amd64. For some time I have a problem with the server postfix. Send a lot of spam. The reason was probably by infected joomla page. I removed infected page and stop apache server but the problem has not gone away. I have a question on how to check what sends so much spam. Maybe postfix is infected? When I turn postfix (postfix start) i have immediately a lot of processes like:
postfix 5929 0.0 0.1 39964 2404 ? S 09:34 0:00 \_ pickup -l -t fifo -u -c postfix 5930 1.4 0.1 40536 3052 ? D 09:34 0:00 \_ qmgr -l -t fifo -u postfix 5937 0.2 0.1 39976 2420 ? S 09:34 0:00 \_ trivial-rewrite -n rewrite -t unix -u -c postfix 5941 0.0 0.1 44268 2696 ? S 09:34 0:00 \_ smtp -t unix -u -c ... postfix 6005 0.0 0.1 44268 2696 ? S 09:34 0:00 \_ smtp -t unix -u -c postfix 6006 0.2 0.1 39996 2416 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6007 0.2 0.1 44268 2812 ? S 09:34 0:00 \_ smtp -t unix -u -c ... postfix 6010 0.0 0.1 44268 2824 ? S 09:34 0:00 \_ smtp -t unix -u -c postfix 6011 0.0 0.1 39996 2416 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6012 0.0 0.1 44268 2828 ? S 09:34 0:00 \_ smtp -t unix -u -c ... postfix 6020 0.0 0.1 44268 2692 ? S 09:34 0:00 \_ smtp -t unix -u -c postfix 6021 0.0 0.1 39996 2420 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6022 0.0 0.1 39996 2420 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6023 0.0 0.1 39996 2420 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6024 0.0 0.1 44268 2816 ? S 09:34 0:00 \_ smtp -t unix -u -c postfix 6025 0.0 0.1 39996 2416 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6026 0.0 0.1 39996 2420 ? D 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6027 0.0 0.1 39996 2416 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6028 0.0 0.1 39996 2416 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6029 0.0 0.1 39996 2416 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6030 0.0 0.1 39996 2416 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6031 0.0 0.1 39996 2420 ? S 09:34 0:00 \_ bounce -z -n defer -t unix -u -c postfix 6032 0.0 0.1 39960 2400 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6033 0.0 0.1 39960 2404 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6034 0.0 0.1 39960 2400 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6035 0.0 0.1 39960 2400 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6036 0.0 0.1 39960 2400 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6037 0.0 0.1 39960 2404 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6038 0.0 0.1 39960 2400 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6039 0.0 0.1 39960 2400 ? S 09:34 0:00 \_ error -n retry -t unix -u -c postfix 6040 0.0 0.1 39964 2400 ? S 09:34 0:00 \_ scache -l -t unix -u -c
My main.cf looks like:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = localhost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localdomain, localhost, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = localhost
Forum:
Tags:
TBH I have limited experience with Postfix
You can see what is in the mail queue like this:
That should display a list of all queued mail and each message should have a unique ID. If you wish to read any of the emails (which may assist you to see where they may be coming from) then you can do that like this:
If you would like to delete individual messages from the queue, do that like this:
To remove all mail from the queue:
To remove all mails in the deferred queue:
To find out more stuff that postuser can do:Beyond that I'm not really sure. I doubt that postfix itself is infected, but you may have some other malware running (e.g. a rogue service that a hacker has installed?) that is sending out emails? Perhaps there is still some infected Joomla page(s)? Or perhaps there is a vulnerability in the version of Joomla you are using which is repeatedly being exploited? E.g. perhaps you have cleared the infection from one page, but another has been reinfected in the meantime?
Queue
Thanks Jeremy, it helps :-) I remove over 50000 mails from queue.
Add new comment