Security Incidents mailing list archives
How to determine which PHP-script allows spamming?
From: Rainer Duffner <rainer () ultra-secure de>
Date: Fri, 24 Feb 2006 12:23:47 +0100
Hello,I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).
The problem is that I have close to 10000 domains on my cluster.I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful. I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.
What options do I have? Can Snort detect this? (The webserver uses qmail as MTA) cheers, Rainer
Current thread:
- How to determine which PHP-script allows spamming? Rainer Duffner (Feb 24)
- Re: How to determine which PHP-script allows spamming? Alex (Feb 25)
- Re: How to determine which PHP-script allows spamming? Andre Yelistratov (Feb 26)
- R: How to determine which PHP-script allows spamming? Sebastian "En3pY" Zdrojewski (Feb 27)
- Re: R: How to determine which PHP-script allows spamming? Mike Owen (Feb 27)
- <Possible follow-ups>
- Re: Re: How to determine which PHP-script allows spamming? tyler (Feb 27)