From owner-freebsd-isp@FreeBSD.ORG Thu Mar 3 15:44:02 2005 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDBC116A4CE for ; Thu, 3 Mar 2005 15:44:02 +0000 (GMT) Received: from admin.wolfpaw.net (admin.wolfpaw.net [204.209.44.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 3883443D1D for ; Thu, 3 Mar 2005 15:44:02 +0000 (GMT) (envelope-from admin-lists@wolfpaw.net) Received: (qmail 26805 invoked from network); 3 Mar 2005 15:44:01 -0000 Received: from fw1-corp01.wolfpaw.net (HELO wolf) (142.179.166.184) by admin.wolfpaw.net with SMTP; 3 Mar 2005 15:44:01 -0000 From: "Wolfpaw - Dale Corse" To: "'Charles Hatvany'" , Date: Thu, 3 Mar 2005 08:41:48 -0700 Message-ID: <000801c52007$830f8720$020a0a0a@wolf> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.6626 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal cc: freebsd-isp@freebsd.org Subject: RE: Spammer on my system X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Mar 2005 15:44:03 -0000 suExec (for cgi and php) is your friend :) At least you know where to look that way :) D. > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Charles Hatvany > Sent: Tuesday, March 01, 2005 6:13 PM > To: darek@nyi.net > Cc: freebsd-isp@freebsd.org > Subject: Re: Spammer on my system > > > Darek, > > Thank you. Found the bastard. Same IP (83.102.146.162) 196 > times to a guestbook.pl that isn't even used by the client's > site. Chmod 000 guestbook.pl should hold him. > > Thanks again. > > Charles > > >>> Darek Milewski 03/01 5:49 PM >>> > Charles Hatvany wrote: > > >Hi guys, > > > >This may not be the correct forum for this. My apologies if this is > >the wrong place - could use direction. > > > >I have someone abusing one of our servers. The mails > "originate" with > >user "www". > > > >The log entry is like this: > > > >Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=www, > >size=7430, class=0, nrcpts=200, > >msgid=<200503010119.j211J29r033993@sixty.hatvany.com>, > >relay=www@localhost > > > >pxytest shows open proxies at port 25 and 587. The apache > config file > >has > > > > > > Order Deny,Allow > > Deny from all > > > > > >If I reject relay for 127.0.0.1 - I stop him, but also all mail > >originating on the server and on our web mail. > > > >Any ideas of what I should look for/do? > > > >Charles Hatvany > > > > > > Most likely you have some type of a mailer script (like FormMail.pl) > installed under Apache somewhere. Happens all the time in a > webhosting > environment.. All you have to do is find it and disable it. > Could also > be called contact, or something similar. You might tail some access > logs to look for frequent requests to a cgi file, or a php page. > > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > >