The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php & cgi scripts forwarding mail bombs, how to neutralize?!

Discussion in 'E-mail Discussions' started by porcupine, Oct 13, 2002.

  1. porcupine

    porcupine Well-Known Member
    PartnerNOC

    Joined:
    Apr 18, 2002
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Toronto, Ontario
    cPanel Access Level:
    DataCenter Provider
    php & cgi scripts forwarding mail bombs, how to neutrali

    Ok,

    Well i've searched the forums, and honestly can't find a solution to our problem. Users have a php script, or insecure cgi script i'd imagine that is sending mail through apache (i believe) as the user nobody@serverhostname. for the cgi scripts, we searched for insecure verions of formmail, removed them, and that was that, but now we're getting evidence one of our servers is back up to the same tricks, but it has no more formmail scripts left except the .php ones.

    Problem being, there is no reasonable way to trace back this activity, the exim_mainlog only displays that the user nobody@domain.com sent the email, i've tried to check the apache log files scanning back for entries when this was occurring, but with 700 logfiles in the /usr/local/apache/domlogs, this just isn't a reasonable solution. Theres got to be a way to stop exim from sending mail from the user nobody, and we found some that were supposed to work for exim v4.0 , but CPanel seems to be running exim 3.xx. Does anyone have suggestions for this? even fi we cant disable the user nobody from sending mail, there must be a reasonable way to at least identify which user/domain has the scripts that are being used for this malicious activity.
     
  2. Skm74

    Skm74 Well-Known Member

    Joined:
    Sep 28, 2002
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I need to know too
     
Loading...

Share This Page