[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] B**tards!

Subject: RE: [cobalt-users] B**tards!
From: "Rusty Waybrant" <rwaybrant@xxxxxxxxxxxxx>
Date: Fri Aug 9 12:22:05 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Start in the logs... If it's a spam-monster version of a formmailer, you
should be able to see this in your http logs, and you might find
something like the following.

www.domain.com 123.123.123.123 - - [09/Aug/2002:13:31:06 -0500] "GET
/cgi-bin/formmail.cgi?recipient=blah@xxxxxxxxxx,blah2@xxxxxxxxxx,blah3@d
omain.com&subject=I%20AM%20YOUR%20SPAM%20MESSAGE&email=spooffed@spooffed
.com&=BLAH%20MESSAGE%20BLAH%20MESSAGE%20BLAH HTTP/1.1" 200 1082 "-"
"client_version_blah"

You should also investigate your maillog...

Rusty Waybrant

-----Original Message-----
From: Andy Jacobs [mailto:andy@xxxxxxxxxxxxxx] 
Sent: Friday, August 09, 2002 1:31 PM
To: Cobalt-Users
Subject: [cobalt-users] B**tards!


Why today.  I have just got back from my father's funeral and some
complete bastard is hacked into my machine.  Someone is using my server
to send spam. I suspect through the old formmail exploit.  I've just
suspended the site in question.

All my customers were getting a mail lock error and when I do a ps -ef
there are various sendmail processes running for root.  I could be
barking up the wrong tree there though.

Can anyone please throw me a small shred of hope and tell me where I
might start looking.

Regards,

Andy

_____________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

Prev by Date: RE: [cobalt-users] 404 resolved
Next by Date: Re: [cobalt-users] 404 resolved
Previous by thread: Re: [cobalt-users] B**tards!
Next by thread: [cobalt-users] Qube3 - How hot can she get?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index