Am 07.11.2017 um 23:51 schrieb Paul A:
Hi, recently I got an email with the subject, “Cookie stealer report “ I
looked at my apache logs and notice a particular ip scanning my server
at that time using OpenVAS which I had never heard of it before. Doing
some research I found the mailing list for OpenVAS and found out that
the program does. With that said I’m a bit concerned that someone using
a scanning program was able to send an email through my server from the
user apache.
Return-Path: <apache@xxx>
X-Original-To: razor@xx
Delivered-To: razor@xx
Received: by mail.xxx (Postfix, from userid 48)
well, you have obviously a vulnerable script calling sendmail (Postfix,
from userid 48) and the first question you should answer yourself is why
is "mail" not in disabled_functions in your php.ini - any proper
software can use SMTP which has less security implications like
additional mail-headers with \n in teh subject and all that can of worms
over decades
why does your server repsond with 301 (Moved Permanently) instead of 404
(Not Found) to requests for non existing files?
i guess the log is only a small part
so grep for 200 and the ip 178.175.142.131
cat logfile | grep 200 | grep "178\.175\.142\.131"
there must have been at least one with a status code 200 not falling
under "seem to be files I don't have on the server"
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
