-----BEGIN PGP SIGNED MESSAGE----- Somebody is exploiting a php mail script on my web-server and use it for sending spam. I dont't have any formmail.pl or any other perl based scripts. I host about 50 domains on this server with large amount of content. And can't seem to find that script. All the scanners I found only check for vulnerable perl scripts. If somebody knows of a good mail script scanner that checks php please let me know. -----BEGIN PGP SIGNATURE----- Version: 2.6.3in Charset: noconv iQDVAwUBPeUOuOCcv2bLcfmfAQFLzwX9FQ33JltdGRfmzx/+P0Yojyc7lCaIWpG7 k3mVu/PohOV/CqWl95C+b83DUjqD5mIZ6ASrZ99hRDwfY0nBLDm8LiswO0l8ZVpZ 2ywtfdHsO+d9Y5D8fayMopJgdZa34shK8xBcCVeIyFDFHwNv2rFC9Gt79KIgiUT/ ppSYwKYsYVY4rEMmLzL2TI1o9LqJZKhdYeM4o7MupPUEhDQuzMvoUIS0MCjLYBGx UlsFQVySjhu15kngh0+0v1Qa/EQnF4jt =4Xyb -----END PGP SIGNATURE-----
* Alex Levit wrote on Wed, Nov 27, 2002 at 10:28 -0800:
Somebody is exploiting a php mail script on my web-server and use it for sending spam. I dont't have any formmail.pl or any other perl based scripts. I host about 50 domains on this server with large amount of content. And can't seem to find that script.
Hum, not an easy issue.
All the scanners I found only check for vulnerable perl scripts. If somebody knows of a good mail script scanner that checks php please let me know.
Theoretically it may be also an customer-specific script to evaluate some FORM, found by accident by a spammer but not by scanners. Maybe you find|grep a list of Mail-sending PHP scripts? Maybe you can catch a instance sending mail when running, i.e. with gdb or some trace to get an idea of the source (lsof my list the open PHP source with some luck when spam is heavy). Hum, when using mod_php you don't even get a useful userID in the mailserver log. Well, maybe the scene should not use mod_php but php via CGI; I don't think mod_php is made for secure at all... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Somebody is exploiting a php mail script on my web-server and use it for sending spam. I dont't have any formmail.pl or any other perl based scripts. I host about 50 domains on this server with large amount of content. And can't seem to find that script. Try to match the entries in your mailer daemon log with the apache log file (at least I think, that php will use your local MDA for transmitting
* Alex Levit wrote on Wed, Nov 27, 2002 at 10:28 -0800: the spam). The time stamps should be very close ... Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
* Steffen Dettmer wrote on Thu, Nov 28, 2002 at 11:34 +0100:
* Alex Levit wrote on Wed, Nov 27, 2002 at 10:28 -0800:
Somebody is exploiting a php mail script on my web-server and use it for sending spam.
Damn, just had the same problem on a customer's server, formmail.cgi. I don't know why I need to remove formmail again and again, didn't they learned it?! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Steffen Dettmer wrote:
* Steffen Dettmer wrote on Thu, Nov 28, 2002 at 11:34 +0100:
* Alex Levit wrote on Wed, Nov 27, 2002 at 10:28 -0800:
Somebody is exploiting a php mail script on my web-server and use it for sending spam.
Damn, just had the same problem on a customer's server, formmail.cgi. I don't know why I need to remove formmail again and again, didn't they learned it?!
These people scan for them, and when they find one, they try to break it. The simplest solution is to rename it. Better still, upgrade to this version, *and* rename it: ########################################################################## # FormMail Version 1.9s-p7 # # Copyright 1995-2001 Matt Wright mattw@worldwidemart.com # # Created 06/09/95 Last Modified 02/24/02 00:34:00 PST # # Matt's Script Archive, Inc.: http://www.worldwidemart.com/scripts/ # # Enhanced Security Version: ftp://ftp.monkeys.com/pub/formmail/ # ########################################################################## Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
participants (4)
-
Alex Levit -
Laurie Brown -
Markus Gaugusch -
Steffen Dettmer