newbie with www user security problem

Ken Hawkins ken at rosewoodblues.com
Thu Aug 11 13:32:26 GMT 2005 

many, MANY apologies up front if i have sent this to the wrong place!  
I am inherently a software engineer who now gets to monitor a mail  
server (don't ask). anyway i get an email message that alerts me from  
a user that we have been hacked by a spammer and the mail message  
header is:

------------- Forwarded message follows -------------

X-Auth-No:
Return-Path: <web1.prosoundweb.com!www>
Received: from web1.prosoundweb.com [64.73.50.193] by compudox.com
     with Novonyx SMTP Server $Revision:   2.75.1.9  $; Wed, 10 Aug
2005
14:25:40 -0700 (PDT)
Received: from web1.prosoundweb.com (localhost.prosoundweb.com
[127.0.0.1])
     by web1.prosoundweb.com (8.13.3/8.13.3) with ESMTP id
j7AJiZZF016410;
     Wed, 10 Aug 2005 14:47:04 -0500 (CDT)
     (envelope-from www at web1.prosoundweb.com)
Received: (from www at localhost)
     by web1.prosoundweb.com (8.13.3/8.13.3/Submit) id
j7AINncm031958;
     Wed, 10 Aug 2005 13:23:49 -0500 (CDT)
     (envelope-from www)
To: webmaster at prosoundweb.com
Subject: All  warez and porno in one place
Reply-to: webmaster at prosoundweb.com
From: webmaster at prosoundweb.com
Message-ID: <fe61f25929ecaf805cb30bb1beba7dc5 at srforum.prosoundweb.com>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Wed, 10 Aug 2005 13:23:49 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-AntiAbuse: Board servername - srforum.prosoundweb.com
X-AntiAbuse: User_id - 2
X-AntiAbuse: Username - admin
X-AntiAbuse: User IP - 62.105.6.113


it appears that someone has hacked the www password. at least i  
think, and here is where the questions start....

am i correct in thinking that someone has hacked the www password and  
has used the phpBB2 functionality (forum nightmare) to send spam mail  
out?

what can i do about it other than have the www password changed? if i  
change it will this action at least deter the spammer? what else will  
this affect by changing the password?

can anyone shoot me a URL / example / explanation of how to button up  
this hole?

THANK YOU, THANK YOU, THANK YOU in advance!

ken;

More information about the freebsd-security mailing list