Date: Thu, 3 Mar 2005 08:41:48 -0700 From: "Wolfpaw - Dale Corse" <admin-lists@wolfpaw.net> To: "'Charles Hatvany'" <Charles@hatvany.com>, <darek@nyi.net> Cc: freebsd-isp@freebsd.org Subject: RE: Spammer on my system Message-ID: <000801c52007$830f8720$020a0a0a@wolf> In-Reply-To: <s224cceb.046@hatvany.com>
next in thread | previous in thread | raw e-mail | index | archive | help
suExec (for cgi and php) is your friend :) At least you know where to look that way :) D. > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org] On Behalf Of Charles Hatvany > Sent: Tuesday, March 01, 2005 6:13 PM > To: darek@nyi.net > Cc: freebsd-isp@freebsd.org > Subject: Re: Spammer on my system > > > Darek, > > Thank you. Found the bastard. Same IP (83.102.146.162) 196 > times to a guestbook.pl that isn't even used by the client's > site. Chmod 000 guestbook.pl should hold him. > > Thanks again. > > Charles > > >>> Darek Milewski <darek@nyi.net> 03/01 5:49 PM >>> > Charles Hatvany wrote: > > >Hi guys, > > > >This may not be the correct forum for this. My apologies if this is > >the wrong place - could use direction. > > > >I have someone abusing one of our servers. The mails > "originate" with > >user "www". > > > >The log entry is like this: > > > >Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=www, > >size=7430, class=0, nrcpts=200, > >msgid=<200503010119.j211J29r033993@sixty.hatvany.com>, > >relay=www@localhost > > > >pxytest shows open proxies at port 25 and 587. The apache > config file > >has > > > ><Directory proxy:*> > > Order Deny,Allow > > Deny from all > ></Directory> > > > >If I reject relay for 127.0.0.1 - I stop him, but also all mail > >originating on the server and on our web mail. > > > >Any ideas of what I should look for/do? > > > >Charles Hatvany > > > > > > Most likely you have some type of a mailer script (like FormMail.pl) > installed under Apache somewhere. Happens all the time in a > webhosting > environment.. All you have to do is find it and disable it. > Could also > be called contact, or something similar. You might tail some access > logs to look for frequent requests to a cgi file, or a php page. > > > > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c52007$830f8720$020a0a0a>