I know this is way off topic, but there are a lot of really smart people
on this list so I'm hoping to get some ideas here. I've got a web
server that has some kind of formmail-esque script that is being
horribly abused but I can't find it. The server (shut down qmail-send
on it for now) is
Sent from the wrong address so it didnt make it to the list..
On Tue, 27 Sep 2005, Mike Garrison wrote:
Hi Clayton,
I can tell you what's going on. It's a fairly new exploit that spammers are
starting to highly utilize. There are a few ways this occurs:
1) the form does not check for \n or
On Sep 27, 2005, at 9:52 AM, Clayton Weise wrote:
I know this is way off topic, but there are a lot of really smart
people
on this list so I'm hoping to get some ideas here. I've got a web
server that has some kind of formmail-esque script that is being
horribly abused but I can't find it.
Run it once, and dump to a file. Run it again a few minutes later and
dump to a file. Do a diff -u on the file and you'll only see sites
getting hits.
Tried something similar but the interesting thing is that it isn't
getting a lot of hits but the messages that go out have a TON of
On Tue, 27 Sep 2005 09:52:39 -0700
Clayton Weise [EMAIL PROTECTED] wrote:
I know this is way off topic, but there are a lot of really smart
people on this list so I'm hoping to get some ideas here. I've got a
web server that has some kind of formmail-esque script that is being
horribly
Clayton Weise wrote:
Run it once, and dump to a file. Run it again a few minutes later
and dump to a file. Do a diff -u on the file and you'll only see
sites getting hits.
Tried something similar but the interesting thing is that it isn't
getting a lot of hits but the messages that go out
Bingo, that one did the trick. I didn't realize that qmail's sendmail
binary was calling on qmail-inject. After putting that wrapper in place
I was able to find some old cgi script that was being exploited and have
now disabled it. Again, thanks so much. This actually allowed me to
fix another
On 2005-09-26, at 0105, rafael marcos bernardes wrote:
Im using freebsd 4.11+vpopmail 5.4.10+qmail 1.03[qmailqueue.patch
and auth-jms1.4a.patch]. ...
the 4a patch is beyond ancient (the jms1 in the filename is me.)
you REALLY need to use something more recent. this web page describes
the