From owner-freebsd-questions@FreeBSD.ORG Sun Sep 26 18:50:04 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BE8E16A4CE for ; Sun, 26 Sep 2004 18:50:04 +0000 (GMT) Received: from o2.hostbaby.com (o2.hostbaby.com [208.187.29.121]) by mx1.FreeBSD.org (Postfix) with SMTP id C4C9343D3F for ; Sun, 26 Sep 2004 18:50:03 +0000 (GMT) (envelope-from ceo@l-i-e.com) Received: (qmail 46617 invoked by uid 1001); 26 Sep 2004 18:50:05 -0000 Received: from 67.167.52.21 (SquirrelMail authenticated user ceo@l-i-e.com); by www.l-i-e.com with HTTP; Sun, 26 Sep 2004 11:50:05 -0700 (PDT) Message-ID: <3394.67.167.52.21.1096224605.squirrel@www.l-i-e.com> In-Reply-To: <52356.69.29.89.98.1096209680.squirrel@69.29.89.98> References: <52356.69.29.89.98.1096209680.squirrel@69.29.89.98> Date: Sun, 26 Sep 2004 11:50:05 -0700 (PDT) From: "Richard Lynch" To: joe@jwebmedia.com User-Agent: Hostbaby Webmail X-Mailer: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal cc: freebsd-questions@freebsd.org Subject: Re: locating origin of spammer X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ceo@l-i-e.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Sep 2004 18:50:04 -0000 Joseph Koening (jWeb) wrote: > I got up this morning and discovered that someone sent some spam through > one of my servers. The messages were sent from the 'www' user on > localhost, which is leading me to think somewhere someone has an insecure > php or perl script that is allowing someone to designate the recipient, > the subject, body, etc. I know the machine is not open-relay (I tested it > to double check) and I checked to make sure no one had actually logged in. > I grepped all of apache's log files looking for sites that received hits > about the same time the mail started going out. What else can I do to find > how the mail is being sent? Thanks, While this has been resolved for the original poster, for the next guy who has this problem... For PHP, one could do something like: grep "mail.*\(" /path/to/htdocs and find mostly all of the places somebody is using PHP's internal http://php.net/mail function. I did that soon after the formmail alert, and made sure that I was cleaning all the input. Of course, if some user is doing this maliciously rather than from ignorance, they could use "mail\n(" and this grep wouldn't find it... A grep expert could probably suggest a better expression to use. -- Like Music? http://l-i-e.com/artists.htm