From owner-freebsd-security@FreeBSD.ORG Thu Aug 11 13:32:25 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB4B816A41F for ; Thu, 11 Aug 2005 13:32:25 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from imf18aec.mail.bellsouth.net (imf18aec.mail.bellsouth.net [205.152.59.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4FCC443D45 for ; Thu, 11 Aug 2005 13:32:25 +0000 (GMT) (envelope-from ken@rosewoodblues.com) Received: from ibm59aec.bellsouth.net ([68.219.111.196]) by imf18aec.mail.bellsouth.net with ESMTP id <20050811133224.VVOU27308.imf18aec.mail.bellsouth.net@ibm59aec.bellsouth.net> for ; Thu, 11 Aug 2005 09:32:24 -0400 Received: from [192.168.1.4] (really [68.219.111.196]) by ibm59aec.bellsouth.net with ESMTP id <20050811133224.RGUH9925.ibm59aec.bellsouth.net@[192.168.1.4]> for ; Thu, 11 Aug 2005 09:32:24 -0400 Mime-Version: 1.0 (Apple Message framework v733) Content-Transfer-Encoding: 7bit Message-Id: <97525439-C809-4E69-B191-F29585A1A71B@rosewoodblues.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-security@freebsd.org From: Ken Hawkins Date: Thu, 11 Aug 2005 09:32:22 -0400 X-Mailer: Apple Mail (2.733) Subject: newbie with www user security problem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2005 13:32:26 -0000 many, MANY apologies up front if i have sent this to the wrong place! I am inherently a software engineer who now gets to monitor a mail server (don't ask). anyway i get an email message that alerts me from a user that we have been hacked by a spammer and the mail message header is: ------------- Forwarded message follows ------------- X-Auth-No: Return-Path: Received: from web1.prosoundweb.com [64.73.50.193] by compudox.com with Novonyx SMTP Server $Revision: 2.75.1.9 $; Wed, 10 Aug 2005 14:25:40 -0700 (PDT) Received: from web1.prosoundweb.com (localhost.prosoundweb.com [127.0.0.1]) by web1.prosoundweb.com (8.13.3/8.13.3) with ESMTP id j7AJiZZF016410; Wed, 10 Aug 2005 14:47:04 -0500 (CDT) (envelope-from www@web1.prosoundweb.com) Received: (from www@localhost) by web1.prosoundweb.com (8.13.3/8.13.3/Submit) id j7AINncm031958; Wed, 10 Aug 2005 13:23:49 -0500 (CDT) (envelope-from www) To: webmaster@prosoundweb.com Subject: All warez and porno in one place Reply-to: webmaster@prosoundweb.com From: webmaster@prosoundweb.com Message-ID: MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit Date: Wed, 10 Aug 2005 13:23:49 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: PHP X-MimeOLE: Produced By phpBB2 X-AntiAbuse: Board servername - srforum.prosoundweb.com X-AntiAbuse: User_id - 2 X-AntiAbuse: Username - admin X-AntiAbuse: User IP - 62.105.6.113 it appears that someone has hacked the www password. at least i think, and here is where the questions start.... am i correct in thinking that someone has hacked the www password and has used the phpBB2 functionality (forum nightmare) to send spam mail out? what can i do about it other than have the www password changed? if i change it will this action at least deter the spammer? what else will this affect by changing the password? can anyone shoot me a URL / example / explanation of how to button up this hole? THANK YOU, THANK YOU, THANK YOU in advance! ken;