Reindl, thanks for the reply I appreciate it. In php.ini I have [mail function] ; For Win32 only. SMTP = localhost smtp_port = 25 ; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). sendmail_path = /usr/sbin/sendmail -t -i
should o only be getting rid of the line with sendmail ? Also looking at the logs the on 200 I see is, 178.175.142.131 - - [07/Nov/2017:16:05:53 -0500] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" I still dont see where and how it executed the email program even though I know think its related to the sendmail path on php.ini. [root@mail scripts]# grep 178.175.142.131 /var/log/httpd/access_log | grep 200 178.175.142.131 - - [07/Nov/2017:15:52:43 -0500] "GET /CruxPA200/login.php HTTP/1.1" 301 255 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:15:52:43 -0500] "GET /CruxPA200/Manager/login.php HTTP/1.1" 301 263 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:00:28 -0500] "GET /mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f70656e564 1532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 360 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:00:28 -0500] "GET /scripts/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f7 0656e5641532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 368 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:00:29 -0500] "GET /cgi-bin/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f7 0656e5641532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 368 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:01:40 -0500] "GET /stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c 2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1" 301 366 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET /DigitalScribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e 5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1" 301 380 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET /digitalscribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e 5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1" 301 380 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET /scripts/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e564153 2d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1" 301 374 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:01:42 -0500] "GET /cgi-bin/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e564153 2d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1" 301 374 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:02:56 -0500] "GET /booking_calendar//details_view.php?event_id=1&date=2000-12-01&view=month&lo c=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 406 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:02:56 -0500] "GET /cal/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_in fo_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 392 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:02:57 -0500] "GET /scripts/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&pag e_info_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 396 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:02:57 -0500] "GET /cgi-bin/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&pag e_info_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 396 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:02:59 -0500] "GET /details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_m essage=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 388 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:05:18 -0500] "GET /calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 301 312 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:05:19 -0500] "GET /scripts/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 301 320 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:05:19 -0500] "GET /cgi-bin/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 301 320 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" 178.175.142.131 - - [07/Nov/2017:16:05:53 -0500] "OPTIONS * HTTP/1.1" 200 - "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)" -----Original Message----- From: Openvas-discuss [mailto:[email protected]] On Behalf Of Reindl Harald Sent: Tuesday, November 07, 2017 7:41 PM To: [email protected] Subject: Re: [Openvas-discuss] openVAS Cookie stealer report email Am 07.11.2017 um 23:51 schrieb Paul A: > Hi, recently I got an email with the subject, Cookie stealer report > I looked at my apache logs and notice a particular ip scanning my > server at that time using OpenVAS which I had never heard of it > before. Doing some research I found the mailing list for OpenVAS and > found out that the program does. With that said Im a bit concerned > that someone using a scanning program was able to send an email > through my server from the user apache. > > Return-Path: <apache@xxx> > X-Original-To: razor@xx > Delivered-To: razor@xx > Received: by mail.xxx (Postfix, from userid 48) well, you have obviously a vulnerable script calling sendmail (Postfix, from userid 48) and the first question you should answer yourself is why is "mail" not in disabled_functions in your php.ini - any proper software can use SMTP which has less security implications like additional mail-headers with \n in teh subject and all that can of worms over decades why does your server repsond with 301 (Moved Permanently) instead of 404 (Not Found) to requests for non existing files? i guess the log is only a small part so grep for 200 and the ip 178.175.142.131 cat logfile | grep 200 | grep "178\.175\.142\.131" there must have been at least one with a status code 200 not falling under "seem to be files I don't have on the server" _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss _______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
