Date: Sun, 26 Sep 2004 15:57:39 +0100 From: Peter Risdon <peter@circlesquared.com> To: joe@jwebmedia.com Cc: freebsd-questions@freebsd.org Subject: Re: locating origin of spammer Message-ID: <4156D8E3.2070203@circlesquared.com> In-Reply-To: <52356.69.29.89.98.1096209680.squirrel@69.29.89.98> References: <52356.69.29.89.98.1096209680.squirrel@69.29.89.98>
next in thread | previous in thread | raw e-mail | index | archive | help
Joseph Koening (jWeb) wrote: > I got up this morning and discovered that someone sent some spam through > one of my servers. The messages were sent from the 'www' user on > localhost, which is leading me to think somewhere someone has an insecure > php or perl script that is allowing someone to designate the recipient, > the subject, body, etc. I know the machine is not open-relay (I tested it > to double check) and I checked to make sure no one had actually logged in. > I grepped all of apache's log files looking for sites that received hits > about the same time the mail started going out. What else can I do to find > how the mail is being sent? Thanks, My first act would be to search for formail.pl or variations thereof in users' cgi-bins. There have been some hideous holes in some versions of this Matt's Script Archive script. Peter. -- the circle squared network systems and software http://www.circlesquared.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4156D8E3.2070203>