* Alex Levit wrote on Wed, Nov 27, 2002 at 10:28 -0800:
Somebody is exploiting a php mail script on my web-server and use it for sending spam. I dont't have any formmail.pl or any other perl based scripts. I host about 50 domains on this server with large amount of content. And can't seem to find that script.
Hum, not an easy issue.
All the scanners I found only check for vulnerable perl scripts. If somebody knows of a good mail script scanner that checks php please let me know.
Theoretically it may be also an customer-specific script to evaluate some FORM, found by accident by a spammer but not by scanners. Maybe you find|grep a list of Mail-sending PHP scripts? Maybe you can catch a instance sending mail when running, i.e. with gdb or some trace to get an idea of the source (lsof my list the open PHP source with some luck when spam is heavy). Hum, when using mod_php you don't even get a useful userID in the mailserver log. Well, maybe the scene should not use mod_php but php via CGI; I don't think mod_php is made for secure at all... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.