Date: Tue, 01 Mar 2005 20:12:50 -0500 From: "Charles Hatvany" <Charles@hatvany.com> To: darek@nyi.net Cc: freebsd-isp@freebsd.org Subject: Re: Spammer on my system Message-ID: <s224cceb.046@hatvany.com>
next in thread | raw e-mail | index | archive | help
Darek, Thank you. Found the bastard. Same IP (83.102.146.162) 196 times to a guestbook.pl that isn't even used by the client's site. Chmod 000 guestbook.pl should hold him. Thanks again. Charles >>> Darek Milewski <darek@nyi.net> 03/01 5:49 PM >>> Charles Hatvany wrote: >Hi guys, > >This may not be the correct forum for this. My apologies if this is the >wrong place - could use direction. > >I have someone abusing one of our servers. The mails "originate" with >user "www". > >The log entry is like this: > >Feb 28 20:19:03 sixty sendmail[33993]: j211J29r033993: from=www, >size=7430, class=0, nrcpts=200, >msgid=<200503010119.j211J29r033993@sixty.hatvany.com>, relay=www@localhost > >pxytest shows open proxies at port 25 and 587. The apache config file has > ><Directory proxy:*> > Order Deny,Allow > Deny from all ></Directory> > >If I reject relay for 127.0.0.1 - I stop him, but also all mail >originating on the server and on our web mail. > >Any ideas of what I should look for/do? > >Charles Hatvany > > Most likely you have some type of a mailer script (like FormMail.pl) installed under Apache somewhere. Happens all the time in a webhosting environment.. All you have to do is find it and disable it. Could also be called contact, or something similar. You might tail some access logs to look for frequent requests to a cgi file, or a php page.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?s224cceb.046>