Date: Tue, 01 Mar 2005 20:12:50 -0500 From: "Charles Hatvany" <Charles@hatvany.com> To: darek@nyi.net Cc: freebsd-isp@freebsd.org Subject: Re: Spammer on my system Message-ID: <s224cceb.046@hatvany.com>
next in thread | raw e-mail | index | archive | help
Darek, Thank you. Found the bastard. Same IP (83.102.146.162) 196 times to a = guestbook.pl that isn't even used by the client's site. Chmod 000 = guestbook.pl should hold him. Thanks again. Charles >>> Darek Milewski <darek@nyi.net> 03/01 5:49 PM >>> Charles Hatvany wrote: >Hi guys, > >This may not be the correct forum for this. My apologies if this is the >wrong place - could use direction. > >I have someone abusing one of our servers. The mails "originate" with >user "www". > >The log entry is like this: > >Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=3Dwww, >size=3D7430, class=3D0, nrcpts=3D200, >msgid=3D<200503010119.j211J29r033993@sixty.hatvany.com>, relay=3Dwww@local= host > >pxytest shows open proxies at port 25 and 587. The apache config file = has > ><Directory proxy:*> > Order Deny,Allow > Deny from all ></Directory> > >If I reject relay for 127.0.0.1 - I stop him, but also all mail >originating on the server and on our web mail. > >Any ideas of what I should look for/do? > >Charles Hatvany > =20 > Most likely you have some type of a mailer script (like FormMail.pl)=20 installed under Apache somewhere. Happens all the time in a webhosting=20 environment.. All you have to do is find it and disable it. Could = also=20 be called contact, or something similar. You might tail some access=20 logs to look for frequent requests to a cgi file, or a php page.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s224cceb.046>