Possible to track down an exploited formmail script?

Metro2

Well-Known Member
May 24, 2006
473
49
178
USA
cPanel Access Level
Root Administrator
Sometime this afternoon exim crashed briefly due to getting slammed with over a thousand spam messages at once. It would appear that someone has found an exploitable formmail script (or other php script) and used it to send spam.

Is there any way for me to track down where the security breach happened and what script on the server was exploited?

I'm running:
WHM 10.8.0 cPanel 10.8.2-R119
RedHat Enterprise 3 i686 - WHM X v3.1.0
PHP 4.4.2
mod_security 1.9.3
Mailscanner 2.38

Thanks for any advice!
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
Yes, as long as you have exim extended logging enabled. Check your /var/log/exim_mainlog and see what messages went out. Your mail queue will also probably be full of messages backed up that bounced, etc.

Once you have this you just get the ID of an email and grep it in the log.
 

cbwass

Well-Known Member
Mar 29, 2002
149
0
316
You can find formmail using this:


find /home/*/public_html/cgi-bin -name '*orm*ail.pl' > list.txt
 

Metro2

Well-Known Member
May 24, 2006
473
49
178
USA
cPanel Access Level
Root Administrator
Thanks,

I did find TONS of these all at the date/time of my exim crash in the /var/logs/exim_mainlog (X's replace my hostname and customer account name):

2006-06-06 13:46:41 1FngZd-00051a-0A <= [email protected] U=nobody P=local S=8220

2006-06-06 13:46:41 cwd=/home/xxxxxxx/public_html/resources/product_images 3 args: /usr/sbin/sendmail -t -i

So now at least I can tell which customer account on the box got exploited.

This customer has a type of photo gallery script (not a common one) and it of course has a built-in form for support mail etc... and from what I can tell the spammer is using that to exploit.

Now the million dollar question - is there anything I can do to secure this problem? (outside of shutting down the customer's site, which I wish not to do as they're an innocent victim here).
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
Review the mail scripts in the directory here:
/home/xxxxxxx/public_html/resources/product_images

write mod_security rules for it or have the programmer modify their script.