You might enable the safe_mode of PHP and disable the mail() function of PHP to avoid its usage.
Sincerely En3pY Sebastian Konstanty Zdrojewski ________________________________ URL: http://www.en3py.net/ E-Mail: [EMAIL PROTECTED] ________________________________ Le informazioni contenute in questo messaggio sono riservate e confidenziali. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora Lei non fosse la persona a cui il presente messaggio è destinato, La invito ad eliminarlo dal Suo Sistema ed a distruggere le varie copie o stampe, dandone gentilmente comunicazione. Ogni utilizzo improprio è contrario ai principi del D.lgs 196/03 e alla legislazione Europea (Direttiva 2002/58/CE). -----Messaggio originale----- Da: Rainer Duffner [mailto:[EMAIL PROTECTED] Inviato: venerdì 24 febbraio 2006 12.24 A: [email protected] Oggetto: How to determine which PHP-script allows spamming? Hello, I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was). The problem is that I have close to 10000 domains on my cluster. I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful. I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB. What options do I have? Can Snort detect this? (The webserver uses qmail as MTA) cheers, Rainer -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.0.0/268 - Release Date: 23/02/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 268.1.0/269 - Release Date: 24/02/2006
