Joseph Koening (jWeb) wrote: > I got up this morning and discovered that someone sent some spam through > one of my servers. The messages were sent from the 'www' user on > localhost, which is leading me to think somewhere someone has an insecure > php or perl script that is allowing someone to designate the recipient, > the subject, body, etc. I know the machine is not open-relay (I tested it > to double check) and I checked to make sure no one had actually logged in. > I grepped all of apache's log files looking for sites that received hits > about the same time the mail started going out. What else can I do to find > how the mail is being sent? Thanks,
While this has been resolved for the original poster, for the next guy who has this problem... For PHP, one could do something like: grep "mail.*\(" /path/to/htdocs and find mostly all of the places somebody is using PHP's internal http://php.net/mail function. I did that soon after the formmail alert, and made sure that I was cleaning all the input. Of course, if some user is doing this maliciously rather than from ignorance, they could use "mail\n(" and this grep wouldn't find it... A grep expert could probably suggest a better expression to use. -- Like Music? http://l-i-e.com/artists.htm _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"