Hope the people of this List Wll find this information useful, We had a new spam attack this morning, our sendmail was flooded with emails, marked with the origin of apache, However, there was no php script related at the time of the Spam deliveries.
The culprit was a cron job executed from /tmp That inserted several hundreds email to /var/spool/clientmqueue To find it we were able to see a cron job being run by the apache user, with ps aux | grep apache after that we searched /var/log/cron for traces of apache usage and we were pointed to /tmp/session_xxxx file. >From that file we got a date and time that we looked on the /var/log/httpd/access_log file and found the culprit an ftp user gave away the password and allowed an attacker to upload such file. This is a 5106 Virtual Server . However I think apache user shouldn't be able to install cron files. To prevent the spam attack using cron, we recommend using this setting Add apache to the file /etc/cron.deny so apache wont be allowed to use cron. Even if an attacker is able to obtain a valid user from your system Regards Rodrigo O _______________________________________________ Blueonyx mailing list [email protected] http://mail.blueonyx.it/mailman/listinfo/blueonyx
