locating origin of spammer

Peter Risdon peter at circlesquared.com
Sun Sep 26 07:57:40 PDT 2004

Joseph Koening (jWeb) wrote:
> I got up this morning and discovered that someone sent some spam through
> one of my servers. The messages were sent from the 'www' user on
> localhost, which is leading me to think somewhere someone has an insecure
> php or perl script that is allowing someone to designate the recipient,
> the subject, body, etc. I know the machine is not open-relay (I tested it
> to double check) and I checked to make sure no one had actually logged in.
> I grepped all of apache's log files looking for sites that received hits
> about the same time the mail started going out. What else can I do to find
> how the mail is being sent? Thanks,

My first act would be to search for formail.pl or variations thereof in 
users' cgi-bins.

There have been some hideous holes in some versions of this Matt's 
Script Archive script.



the circle squared

network systems and software


More information about the freebsd-questions mailing list