Increase spamming through user Nobody

[Philip]

We have noticed over the weekend a huge increase in emails being send from our server farm from the user Nobody (PHP). These emails are largely being sent to AOL users. These servers have been online for a while now and have not have any concern of this type prior to Friday morning. Is there any new technique/exploit being used by Internet spammers through PHP scripts?

FYI - We do know about the exploit in Formmail.pl's and have worked to combat that problem. This issue started about Thursday evening or Friday morning and continues today.

cPanel.net Support Ticket Number:

[Website Rob]

I would suggest checking the account of new Clients, say in the last week, and if you keep copies of Server eMails: [newmailcgi] Recently Uploaded CGI scripts that send email on... to check those as well. Although it says CGI scripts, it is notice of any type script using any eMail protocols.

cPanel.net Support Ticket Number:

[Philip]

Thank you for the input. These machines have not taken on any new customers in a while. They are full and have been running at the same capacity for a while. The problem just popped up on us on Friday and continues today.

cPanel.net Support Ticket Number:

[moogle]

I am just now having this problem, but I looked and my server has never sent that email. Is there a way to get it to? Or to view via the server what it would have?

cPanel.net Support Ticket Number:

[Website Rob]

If your Server has not sent out the eMails, how can it be a problem for you?

cPanel.net Support Ticket Number:

[techark]

2 days ago I got a report from spam cop on spam from one of my servers and it was from nobody, but the name of the mailer script was included in the header so I greped the script name and found 10 of them on the server. I then used pico to edit each of the scripts and changed the mailer name in the script to the domain name it was running on. Next time they send mail it will have their domian name in the header of the mail.

Then terminate.

cPanel.net Support Ticket Number:

[techark]

AAlready tried that breaks a few scripts so I am giving my clients time to get ready before we pull that trigger on them.

cPanel.net Support Ticket Number:

[jamesbond]

Originally posted by techark
AAlready tried that breaks a few scripts so I am giving my clients time to get ready before we pull that trigger on them.

What exactly broke when you tried phpsuexec?

cPanel.net Support Ticket Number:

[Doctor]

What exactly broke when you tried phpsuexec?

FYI, scripts like PHPBB will not be able to send out mails when PHPSuexec is enabled. Am I right, techark?

cPanel.net Support Ticket Number:

[tAzMaNiAc]

Originally posted by Doctor


FYI, scripts like PHPBB will not be able to send out mails when PHPSuexec is enabled. Am I right, techark?

cPanel.net Support Ticket Number:

Nope...

I have PHPBB and PHPSuexec and all is fine.

Brenden

cPanel.net Support Ticket Number:

[Doctor]

Hey Taz! Nice to hear from you again! The last time I tried, PHPBB did have the problem. Maybe their newer version supports PHPSuexec.

I have a question though. The last time I had PHPSuexec enabled, some of my clients did come back to me saying that all outbound mails were bounced. My question is... what should be added in a PHP script so that it supports PHPSuexec?

Because I have an answer to this, I will definitely enable PHPSuexec again.

cPanel.net Support Ticket Number:

[bmcpanel]

Originally posted by jamesbond
What exactly broke when you tried phpsuexec?

Several of our customer's private PHP scripts broke. Most of it was because the user was using PHP configs in .htaccess.

cPanel.net Support Ticket Number: