Security Incidents mailing list archives
R: How to determine which PHP-script allows spamming?
From: "Sebastian \"En3pY\" Zdrojewski" <en3py () itvc net>
Date: Mon, 27 Feb 2006 19:43:32 +0100
You might enable the safe_mode of PHP and disable the mail() function of PHP to avoid its usage. Sincerely En3pY Sebastian Konstanty Zdrojewski ________________________________ URL: http://www.en3py.net/ E-Mail: en3py () itvc net ________________________________ Le informazioni contenute in questo messaggio sono riservate e confidenziali. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora Lei non fosse la persona a cui il presente messaggio è destinato, La invito ad eliminarlo dal Suo Sistema ed a distruggere le varie copie o stampe, dandone gentilmente comunicazione. Ogni utilizzo improprio è contrario ai principi del D.lgs 196/03 e alla legislazione Europea (Direttiva 2002/58/CE). -----Messaggio originale----- Da: Rainer Duffner [mailto:rainer () ultra-secure de] Inviato: venerdì 24 febbraio 2006 12.24 A: incidents () securityfocus com Oggetto: How to determine which PHP-script allows spamming? Hello, I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was). The problem is that I have close to 10000 domains on my cluster. I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful. I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB. What options do I have? Can Snort detect this? (The webserver uses qmail as MTA) cheers, Rainer -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.0.0/268 - Release Date: 23/02/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.1.0/269 - Release Date: 24/02/2006
Current thread:
- How to determine which PHP-script allows spamming? Rainer Duffner (Feb 24)
- Re: How to determine which PHP-script allows spamming? Alex (Feb 25)
- Re: How to determine which PHP-script allows spamming? Andre Yelistratov (Feb 26)
- R: How to determine which PHP-script allows spamming? Sebastian "En3pY" Zdrojewski (Feb 27)
- Re: R: How to determine which PHP-script allows spamming? Mike Owen (Feb 27)
- <Possible follow-ups>
- Re: Re: How to determine which PHP-script allows spamming? tyler (Feb 27)