locating origin of spammer

[Richard Lynch]

Joseph Koening (jWeb) wrote:
> I got up this morning and discovered that someone sent some spam through
> one of my servers. The messages were sent from the 'www' user on
> localhost, which is leading me to think somewhere someone has an insecure
> php or perl script that is allowing someone to designate the recipient,
> the subject, body, etc. I know the machine is not open-relay (I tested it
> to double check) and I checked to make sure no one had actually logged in.
> I grepped all of apache's log files looking for sites that received hits
> about the same time the mail started going out. What else can I do to find
> how the mail is being sent? Thanks,

While this has been resolved for the original poster, for the next guy who
has this problem...

For PHP, one could do something like:

grep "mail.*\(" /path/to/htdocs

and find mostly all of the places somebody is using PHP's internal
http://php.net/mail function.

I did that soon after the formmail alert, and made sure that I was
cleaning all the input.

Of course, if some user is doing this maliciously rather than from
ignorance, they could use "mail\n(" and this grep wouldn't find it...

A grep expert could probably suggest a better expression to use.

-- 
Like Music?
http://l-i-e.com/artists.htm