Hi On Wed, 2008-07-30 at 20:46 -0400, Grant Peel wrote: > I am thinking a script on one of my servers has a security hole in it. A few > days ago, the server started sending out huge amounts of spam. I am yet to > find the culprit.
I already emailed the Apache users list about this with an example of how to slice'n'dice the Apache access logs to find likely culprits, but here's a bit more information... > In the mean time, I am seeing thousands of mailq entries like: > > 2008-07-30 18:33:50 1KOKEw-000DG6-77 <= [EMAIL PROTECTED] U=www P=local > S=2625 T="God Has Chosen You" from <[EMAIL PROTECTED]> for > [EMAIL PROTECTED] That does rather imply that Apache has either one or both of CGI and PHP running as a module. I take it you're not using suEXEC (or one of the many similar wrappers like suPHP) to ensure accountability over whose scripts are being run? > I am thinking that I would like to temporarily disble apache's sending of > email (from FormMail scripts), until I can track down the offending script. > > Is there a way I can do it in Exim's configure? Phil's already given you one way of doing it. That was a nice, elegant method - an alternative is simply to remove the execute bit from the exim binary for everyone (chmod 0750 /usr/sbin/exim), but that's a bit blunt since it affects everyone on the machine. Graeme -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
