LinkBack URL
About LinkBacks
php & cgi scripts forwarding mail bombs, how to neutrali
Ok,
Well i've searched the forums, and honestly can't find a solution to our problem. Users have a php script, or insecure cgi script i'd imagine that is sending mail through apache (i believe) as the user nobody@serverhostname. for the cgi scripts, we searched for insecure verions of formmail, removed them, and that was that, but now we're getting evidence one of our servers is back up to the same tricks, but it has no more formmail scripts left except the .php ones.
Problem being, there is no reasonable way to trace back this activity, the exim_mainlog only displays that the user nobody@domain.com sent the email, i've tried to check the apache log files scanning back for entries when this was occurring, but with 700 logfiles in the /usr/local/apache/domlogs, this just isn't a reasonable solution. Theres got to be a way to stop exim from sending mail from the user nobody, and we found some that were supposed to work for exim v4.0 , but CPanel seems to be running exim 3.xx. Does anyone have suggestions for this? even fi we cant disable the user nobody from sending mail, there must be a reasonable way to at least identify which user/domain has the scripts that are being used for this malicious activity.
Reply With Quote
