locating origin of spammer
Peter Risdon
peter at circlesquared.com
Sun Sep 26 07:57:40 PDT 2004
Joseph Koening (jWeb) wrote:
> I got up this morning and discovered that someone sent some spam through
> one of my servers. The messages were sent from the 'www' user on
> localhost, which is leading me to think somewhere someone has an insecure
> php or perl script that is allowing someone to designate the recipient,
> the subject, body, etc. I know the machine is not open-relay (I tested it
> to double check) and I checked to make sure no one had actually logged in.
> I grepped all of apache's log files looking for sites that received hits
> about the same time the mail started going out. What else can I do to find
> how the mail is being sent? Thanks,
My first act would be to search for formail.pl or variations thereof in
users' cgi-bins.
There have been some hideous holes in some versions of this Matt's
Script Archive script.
Peter.
--
the circle squared
network systems and software
http://www.circlesquared.com
More information about the freebsd-questions
mailing list