Possible to track down an exploited formmail script?

[Metro2]

Sometime this afternoon exim crashed briefly due to getting slammed with over a thousand spam messages at once. It would appear that someone has found an exploitable formmail script (or other php script) and used it to send spam.

Is there any way for me to track down where the security breach happened and what script on the server was exploited?

I'm running:
WHM 10.8.0 cPanel 10.8.2-R119
RedHat Enterprise 3 i686 - WHM X v3.1.0
PHP 4.4.2
mod_security 1.9.3
Mailscanner 2.38

Thanks for any advice!

 

[ramprage]

Yes, as long as you have exim extended logging enabled. Check your /var/log/exim_mainlog and see what messages went out. Your mail queue will also probably be full of messages backed up that bounced, etc.

Once you have this you just get the ID of an email and grep it in the log.

 

[Metro2]

Thank you for the response. I'm not extremely comman-line savvy, so I'm currently studying http://www.pegasus.rutgers.edu/~elflord/unix/grep.html to see if I can teach myself what you mean.

 

[cbwass]

You can find formmail using this:


find /home/*/public_html/cgi-bin -name '*orm*ail.pl' > list.txt

 

[Metro2]

Thanks,

I did find TONS of these all at the date/time of my exim crash in the /var/logs/exim_mainlog (X's replace my hostname and customer account name):

2006-06-06 13:46:41 1FngZd-00051a-0A <= [email protected] U=nobody P=local S=8220

2006-06-06 13:46:41 cwd=/home/xxxxxxx/public_html/resources/product_images 3 args: /usr/sbin/sendmail -t -i

So now at least I can tell which customer account on the box got exploited.

This customer has a type of photo gallery script (not a common one) and it of course has a built-in form for support mail etc... and from what I can tell the spammer is using that to exploit.

Now the million dollar question - is there anything I can do to secure this problem? (outside of shutting down the customer's site, which I wish not to do as they're an innocent victim here).

 

[ramprage]

Review the mail scripts in the directory here:
/home/xxxxxxx/public_html/resources/product_images

write mod_security rules for it or have the programmer modify their script.