From owner-freebsd-isp@FreeBSD.ORG Wed Aug 15 21:03:00 2007 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D298916A418 for ; Wed, 15 Aug 2007 21:03:00 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id B973913C48E for ; Wed, 15 Aug 2007 21:03:00 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay7.apple.com (relay7.apple.com [17.128.113.37]) by mail-out3.apple.com (Postfix) with ESMTP id A4121E95BC2; Wed, 15 Aug 2007 14:03:00 -0700 (PDT) Received: from relay7.apple.com (unknown [127.0.0.1]) by relay7.apple.com (Symantec Mail Security) with ESMTP id 8FB66304BC; Wed, 15 Aug 2007 14:03:00 -0700 (PDT) X-AuditID: 11807125-a3220bb0000007e5-f0-46c36a04a14d Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay7.apple.com (Apple SCV relay) with ESMTP id 7C45330084; Wed, 15 Aug 2007 14:03:00 -0700 (PDT) In-Reply-To: <46C33328.6050700@telcom.net> References: <46C33328.6050700@telcom.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Wed, 15 Aug 2007 14:02:59 -0700 To: akachler@telcom.net X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: FreeBSD ISP Subject: Re: security question X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Aug 2007 21:03:00 -0000 On Aug 15, 2007, at 10:08 AM, Arie Kachler wrote: > We have many Freebsd servers with apache/php/mysql. > Recently, some of these have been sending out large amounts of > emails. We know the servers are secure in the sense they are fully > patched. But we also know that the most secure shared server can be > abused by a badly written php script. Certainly anyone with access to create new scripts can misuse the available resources, agreed. > So my question is this: > Is there a way to identify vulenrable php scripts? I tend to assume that all PHP scripts are vulnerable, and history tends to support the notion that PHP has a miserable security track record. > It's very difficult to pinpoint when the server starts sending out > emails. We just notice that they do, without any identifyable > correlation to anything on the logs. > > A related question: > Can we audit which php script is calling sendmail? Well, you could set up your mailserver to require that users must authenticate via SMTP AUTH before they are allowed to relay email. This would mean that the PHP scripts would need to authenticate as a particular user account, which would then let you see which scripts are generating the mail. It would also help block malicious scripts which have not been setup to auth before sending the email... -- -Chuck