[EMAIL PROTECTED] apache hacked to send spam!
Hello List, I have been trying to isolate attacks on my server where someone is using apache to send spam from my host. I have been hit quite a bit in the past 2 days. Some of my websites have web forms, but I'm pretty sure that they are tight. This is a new line item in my daily Logwatch in the sendmail area that just started to appear with the spam attacks: snip Authentication warnings: apache set sender to [EMAIL PROTECTED] using -f: 7 Times(s) /snip ([EMAIL PROTECTED] is a real user on my host.) Does anybody know what this means? Where should I start to find the problem? I am using Redhat9 Apache/2.0.40 php-4.2.2-17.2 sendmail-8.12.8-9.90 sendmail-cf-8.12.8-9.90 mailscanner-4.23-11 mailscanner-mrtg-0.05-3 clamav-0.88 Interchange 5.4 Thanks! Rick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] apache hacked to send spam!
It most likely the php mail() function. With the default install/config when the mail() function sends an email it is sent by the Apache user. If it is going to someone you know over and over (aka a client) it could be a contact us page. Mark. maillists wrote: Hello List, I have been trying to isolate attacks on my server where someone is using apache to send spam from my host. I have been hit quite a bit in the past 2 days. Some of my websites have web forms, but I'm pretty sure that they are tight. This is a new line item in my daily Logwatch in the sendmail area that just started to appear with the spam attacks: snip Authentication warnings: apache set sender to [EMAIL PROTECTED] using -f: 7 Times(s) /snip ([EMAIL PROTECTED] is a real user on my host.) Does anybody know what this means? Where should I start to find the problem? I am using Redhat9 Apache/2.0.40 php-4.2.2-17.2 sendmail-8.12.8-9.90 sendmail-cf-8.12.8-9.90 mailscanner-4.23-11 mailscanner-mrtg-0.05-3 clamav-0.88 Interchange 5.4 Thanks! Rick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- ___ Mark McCulligh, Web Consultant VisualTech Components www.VisualTech.ca [EMAIL PROTECTED] (519)318-7905 - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] apache hacked to send spam!
Quoting maillists [EMAIL PROTECTED]: Hello List, I have been trying to isolate attacks on my server where someone is using apache to send spam from my host. I have been hit quite a bit in the past 2 days. Some of my websites have web forms, but I'm pretty sure that they are tight. Are these forms proccesed with PHP? Has the code been checked to make sure it is immune to the PHP Mail Injection that surfaced last summer? This is a new line item in my daily Logwatch in the sendmail area that just started to appear with the spam attacks: snip Authentication warnings: apache set sender to [EMAIL PROTECTED] using -f: 7 Times(s) /snip ([EMAIL PROTECTED] is a real user on my host.) In PHP, you can use the fifth parameter to the mail() function to set certain attributes in the SMTP header. If the programmer uses '-f [EMAIL PROTECTED]', the Return-path: header is set to '[EMAIL PROTECTED]'. Some email systems are now rejecting the email if the domain name in the Return-path header is not the same as the domain name in the From: header. This warning and the spam probably are not connected I am using Redhat9 Apache/2.0.40 php-4.2.2-17.2 PHP 4.2.2 is rather old. I would suggest upgrading to at least 4.10 or 4.11 Ken - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] apache hacked to send spam!
On Thu, 2006-01-19 at 10:26 -0500, Mark McCulligh wrote: It most likely the php mail() function. With the default install/config when the mail() function sends an email it is sent by the Apache user. If it is going to someone you know over and over (aka a client) it could be a contact us page. Mark. maillists wrote: Thanks Mark, The spam is going out to many outside addresses of the world (sorry everybody, I need to be sentenced to community service or something for this) Does anybody know what the following is in my Logwatch under sendmail area? snip Authentication warnings: apache set sender to [EMAIL PROTECTED] using -f: 7 Times(s) /snip Thanks Again! and I apologize if any of you got hit by the spam! Rick - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]