Security Incidents mailing list archives
Re: How to determine which PHP-script allows spamming?
From: Andre Yelistratov <andre () sundale net>
Date: Sun, 26 Feb 2006 14:36:27 +0300
I would write simple perl wrapper around /usr/sbin/sendmail. It should distinguish between calling scripts and count speed of calls. If the script overwhelms certain threshold - put the letter at some spool for further analysis.
Rainer Duffner wrote:
Hello,I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).The problem is that I have close to 10000 domains on my cluster.I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful. I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.What options do I have? Can Snort detect this? (The webserver uses qmail as MTA) cheers, Rainer
Current thread:
- How to determine which PHP-script allows spamming? Rainer Duffner (Feb 24)
- Re: How to determine which PHP-script allows spamming? Alex (Feb 25)
- Re: How to determine which PHP-script allows spamming? Andre Yelistratov (Feb 26)
- R: How to determine which PHP-script allows spamming? Sebastian "En3pY" Zdrojewski (Feb 27)
- Re: R: How to determine which PHP-script allows spamming? Mike Owen (Feb 27)
- <Possible follow-ups>
- Re: Re: How to determine which PHP-script allows spamming? tyler (Feb 27)