www-data PHP & Postfix emails

It all started with an email from my Linode server telling me

"Linode Alert - disk io rate".

After deleting manually many email messages using the following command:

# postsuper -d ALL deferred
postsuper: Deleted: 146 messages

I had to start finding the problem…

What almost solved the problem was creating PHP logs about emails:

# find . -name php.ini

; The path to a log file that will log all mail() calls. Log entries include
; the full path of the script, line number, To address and headers.
;mail.log =

mail.log = /var/log/php.mail.log

Changed permissions to /var/log/php.mail.log so that it can be written by everyone…

Then I was able to produce really useful output

There was a php script called sys09725827.php on both my WordPress and Drupal installations! I deleted the script and everything is fine now.

  • public_html/wp-includes/fonts/sys09725827.php
  • public_html/themes/bartik/css/sys09725827.php

The following link from Drupal.org helped a lot: https://drupal.org/SA-CORE-2013-003

Had to edit:

# cat /tmp/.htaccess
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
Deny from all
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006

# Override the handler again if we're run later in the evaluation list.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003

# If we know how to do it safely, disable the PHP engine entirely.

php_flag engine off