The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible to track down an exploited formmail script?

Discussion in 'E-mail Discussions' started by Metro2, Jun 6, 2006.

  1. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Sometime this afternoon exim crashed briefly due to getting slammed with over a thousand spam messages at once. It would appear that someone has found an exploitable formmail script (or other php script) and used it to send spam.

    Is there any way for me to track down where the security breach happened and what script on the server was exploited?

    I'm running:
    WHM 10.8.0 cPanel 10.8.2-R119
    RedHat Enterprise 3 i686 - WHM X v3.1.0
    PHP 4.4.2
    mod_security 1.9.3
    Mailscanner 2.38

    Thanks for any advice!
     
  2. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Yes, as long as you have exim extended logging enabled. Check your /var/log/exim_mainlog and see what messages went out. Your mail queue will also probably be full of messages backed up that bounced, etc.

    Once you have this you just get the ID of an email and grep it in the log.
     
  3. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
  4. cbwass

    cbwass Well-Known Member

    Joined:
    Mar 29, 2002
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    You can find formmail using this:


    find /home/*/public_html/cgi-bin -name '*orm*ail.pl' > list.txt
     
  5. Metro2

    Metro2 Well-Known Member

    Joined:
    May 24, 2006
    Messages:
    376
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Thanks,

    I did find TONS of these all at the date/time of my exim crash in the /var/logs/exim_mainlog (X's replace my hostname and customer account name):

    2006-06-06 13:46:41 1FngZd-00051a-0A <= nobody@xxxxxx.xxxxxxxxxxxx.net U=nobody P=local S=8220

    2006-06-06 13:46:41 cwd=/home/xxxxxxx/public_html/resources/product_images 3 args: /usr/sbin/sendmail -t -i

    So now at least I can tell which customer account on the box got exploited.

    This customer has a type of photo gallery script (not a common one) and it of course has a built-in form for support mail etc... and from what I can tell the spammer is using that to exploit.

    Now the million dollar question - is there anything I can do to secure this problem? (outside of shutting down the customer's site, which I wish not to do as they're an innocent victim here).
     
  6. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Review the mail scripts in the directory here:
    /home/xxxxxxx/public_html/resources/product_images

    write mod_security rules for it or have the programmer modify their script.
     
Loading...

Share This Page