R: [courier-users] Re: Hack attempt?

2002-07-12 Thread Massimo Cereda
-Messaggio originale- Da: Jesse Keating [mailto:[EMAIL PROTECTED]] Inviato: venerdì 12 luglio 2002 0.57 A: [EMAIL PROTECTED] Oggetto: Re: [courier-users] Re: Hack attempt? On Thu, 11 Jul 2002 18:54:52 -0400 Sam Varshavchik [EMAIL PROTECTED] wrote: #No. Mail from sqwebmail

Re: R: [courier-users] Re: Hack attempt?

2002-07-12 Thread Jesse Keating
On Fri, 12 Jul 2002 09:24:43 +0200 Massimo Cereda [EMAIL PROTECTED] wrote: # #Have you look in Apache logs? Having followed the advice of others, and you, I've tracked this problem down to a php script that a user of mine has in their web directory. I have brought up the matter with the user.

[courier-users] Re: Hack attempt?

2002-07-11 Thread Sam Varshavchik
Jesse Keating writes: [message/delivery-status (337 bytes)] Reporting-MTA: dns; mail.j2solutions.net Arrival-Date: Thu, 11 Jul 2002 07:00:32 -0700 Received-From-MTA: dns; localhost (localhost [127.0.0.1]) Final-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 5.0.0

Re: [courier-users] Re: Hack attempt?

2002-07-11 Thread Jesse Keating
On Thu, 11 Jul 2002 17:41:43 -0400 Sam Varshavchik [EMAIL PROTECTED] wrote: #The original message was sent by whoever logs in as uid 48. # #Anybody can put anything they want in the From: header, or use any return #address. UID 48 belongs to apache... Do messages sent via sqwebmail get that

Re: [courier-users] Re: Hack attempt?

2002-07-11 Thread Jesse Keating
On Thu, 11 Jul 2002 18:54:52 -0400 Sam Varshavchik [EMAIL PROTECTED] wrote: #No. Mail from sqwebmail originates under whatever uid the mail account #uses. Yeah, so, any other idea on how this could be happening? Perhaps there is an exploit in apache that lets them send mail? I'm somewhat

[courier-users] Re: Hack attempt?

2002-07-11 Thread Sam Varshavchik
Jesse Keating writes: On Thu, 11 Jul 2002 18:54:52 -0400 Sam Varshavchik [EMAIL PROTECTED] wrote: #No. Mail from sqwebmail originates under whatever uid the mail account #uses. Yeah, so, any other idea on how this could be happening? Perhaps there is an exploit in apache that

[courier-users] Re: Hack attempt?

2002-07-11 Thread Bill Williamson
Jesse Keating writes: UID 48 belongs to apache... Do messages sent via sqwebmail get that UID attached to them? The reason I ask, the contents of the original email don't match anything that would have been sent via apache. YOU ARE COMPROMISED from http://uptime.netcraft.com/up/graph/

Re: [courier-users] Re: Hack attempt?

2002-07-11 Thread Jesse Keating
On Thu, 11 Jul 2002 20:01:28 -0500 Bill Williamson [EMAIL PROTECTED] wrote: # #YOU ARE COMPROMISED # #from http://uptime.netcraft.com/up/graph/ scan of your server # - #The site www.j2solutions.net is running Apache/1.3.22 (Unix) (Red-Hat/Linux) # - # #from