On Mar 30, 2006, at 3:10 PM, Bill Shupp wrote:
Bob Hutchinson wrote:
depending on how many users you have, try to find any php scripts
containing
'mail'. If they also contain the above your're getting somewhere. Of
course
cgi-bin is also a possibility. Look for 'mailform' or formmail' etc
hope you get lucky
Note that POST values are not logged, so searching logs may not reveal
anything. I have better luck looking for dates that correspond to the
date of the message.
When I was under a similar attack, the spams were going out but the web
logs were going to an error_log.
My solution was to write a short Perl script that checked all of the
log file sizes, waited a minute and then checked again. This narrowed
down the list of possible virtual hosts that were under attack.
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
