From owner-freebsd-isp@FreeBSD.ORG  Wed Aug 15 17:25:47 2007
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Delivered-To: freebsd-isp@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9411A16A418
	for <freebsd-isp@freebsd.org>; Wed, 15 Aug 2007 17:25:47 +0000 (UTC)
	(envelope-from akachler@telcom.net)
Received: from mail.telcom.net (mail.telcom.net [200.62.2.251])
	by mx1.freebsd.org (Postfix) with ESMTP id 4654913C469
	for <freebsd-isp@freebsd.org>; Wed, 15 Aug 2007 17:25:47 +0000 (UTC)
	(envelope-from akachler@telcom.net)
Received: from [192.168.1.8] (adsl-223-193-186.mia.bellsouth.net
	[68.223.193.186])
	by mail.telcom.net (8.13.8/8.13.6) with ESMTP id l7FH92Y4006282
	for <freebsd-isp@freebsd.org>; Wed, 15 Aug 2007 13:09:02 -0400 (EDT)
	(envelope-from akachler@telcom.net)
Message-ID: <46C33328.6050700@telcom.net>
Date: Wed, 15 Aug 2007 13:08:56 -0400
From: Arie Kachler <akachler@telcom.net>
Organization: Telcom.Net
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: FreeBSD ISP <freebsd-isp@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: security question
X-BeenThere: freebsd-isp@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: akachler@telcom.net
List-Id: Internet Services Providers <freebsd-isp.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-isp>
List-Post: <mailto:freebsd-isp@freebsd.org>
List-Help: <mailto:freebsd-isp-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-isp>,
	<mailto:freebsd-isp-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2007 17:25:47 -0000

Hello,

This may not be the best place to ask, but I know all readers of this 
list have security experience (we have no other choice).

We have many Freebsd servers with apache/php/mysql.
Recently, some of these have been sending out large amounts of emails. 
We know the servers are secure in the sense they are fully patched. But 
we also know that the most secure shared server can be abused by a badly 
written php script.

So my question is this:
Is there a way to identify vulenrable php scripts?
It's very difficult to pinpoint when the server starts sending out 
emails. We just notice that they do, without any identifyable 
correlation to anything on the logs.

A related question:
Can we audit which php script is calling sendmail?

Any advice will be greatly appreciated.

Arie Kachler
Systems Administrator
Telcom.Net