3 Mar 2005 16:41
RE: Spammer on my system
Wolfpaw - Dale Corse <admin-lists <at> wolfpaw.net>
2005-03-03 15:41:48 GMT
2005-03-03 15:41:48 GMT
suExec (for cgi and php) is your friend :) At least you know where to look that way :) D. > -----Original Message----- > From: owner-freebsd-isp <at> freebsd.org > [mailto:owner-freebsd-isp <at> freebsd.org] On Behalf Of Charles Hatvany > Sent: Tuesday, March 01, 2005 6:13 PM > To: darek <at> nyi.net > Cc: freebsd-isp <at> freebsd.org > Subject: Re: Spammer on my system > > > Darek, > > Thank you. Found the bastard. Same IP (184.108.40.206) 196 > times to a guestbook.pl that isn't even used by the client's > site. Chmod 000 guestbook.pl should hold him. > > Thanks again. > > Charles > > >>> Darek Milewski <darek <at> nyi.net> 03/01 5:49 PM >>> > Charles Hatvany wrote: > > >Hi guys, > > > >This may not be the correct forum for this. My apologies if this is > >the wrong place - could use direction. > > > >I have someone abusing one of our servers. The mails > "originate" with > >user "www". > > > >The log entry is like this: > > > >Feb 28 20:19:03 sixty sendmail: j211J29r033993: from=www, > >size=7430, class=0, nrcpts=200, > >msgid=<200503010119.j211J29r033993 <at> sixty.hatvany.com>, > >relay=www <at> localhost > > > >pxytest shows open proxies at port 25 and 587. The apache > config file > >has > > > ><Directory proxy:*> > > Order Deny,Allow > > Deny from all > ></Directory> > > > >If I reject relay for 127.0.0.1 - I stop him, but also all mail > >originating on the server and on our web mail. > > > >Any ideas of what I should look for/do? > > > >Charles Hatvany > > > > > > Most likely you have some type of a mailer script (like FormMail.pl) > installed under Apache somewhere. Happens all the time in a > webhosting > environment.. All you have to do is find it and disable it. > Could also > be called contact, or something similar. You might tail some access > logs to look for frequent requests to a cgi file, or a php page. > > > > _______________________________________________ > freebsd-isp <at> freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe <at> freebsd.org" > > _______________________________________________ freebsd-isp <at> freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe <at> freebsd.org"