The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Seem to be another PHP exploited

Discussion in 'General Discussion' started by neo4242002, Dec 7, 2005.

  1. neo4242002

    neo4242002 Well-Known Member

    Joined:
    Jun 28, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    Code:
    Return-path: <nobody@host.domain.xxx>
    Received: from nobody by host.domain.xxx with local (Exim 4.52)
    	id 1EjjFv-0001y6-JS; Tue, 06 Dec 2005 20:17:43 +0000
    To: [email]user@domain.xxx[/email]
    Subject: Someting
    From: [email]has@host.domain.xxx[/email]
    Content-Type: text/plain; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Subject: green meadows uninterruptedly reaches our ear the ringing
    Message-Id: <E1EjjFv-0001y6-JS@host.domain.xxx>
    Date: Tue, 01 Dec 2005 20:17:43 +0000
    
    98c3a8abd71200a27d06c58efdfeb46c
    .
    
    X-Mailer: PHP/4.4.0
    
    The following message was sent via the my client website:
    
    ===================
    CONTACT DETAILS
    
    Name:  
    E-mail: has
    Content-Type: text/plain; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Subject: green meadows uninterruptedly reaches our ear the ringing
    bcc: [email]remortuser@host.domain.xxx[/email]
    
    98c3a8abd71200a27d06c58efdfeb46c
    .
     
    Phone:  
    Preferred Reply Method:  
    
    ===================
    MESSAGE
    I have seen lot of emails like above from one f my client php script.

    1) Dose any one familiar with it?
    2) How do I fix it?
    3) How to I check others have the sample vulnerability :confused:
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    I would reccomend using phpsuexec unless you have reason not to, this will help you track down who it is
     
  3. neo4242002

    neo4242002 Well-Known Member

    Joined:
    Jun 28, 2005
    Messages:
    119
    Likes Received:
    0
    Trophy Points:
    16
    I am running a shard hosting with fentastico enabled... phpsuexec bring more table on me .. so that’s not a option right now :confused:
     
  4. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    paste E1EjjFv-0001y6-JS into the mail troubleshooter in WHM, it might help although it might not because your scripts are sending mail as nobody you might just get your servers host name appear in there

    if that doesnt show anything useful then you will have to manually search through your home partition with grep for the mail() command in php, a lot of manual work though
     
Loading...

Share This Page