[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [OT] Email spam

Subject: Re: [cobalt-users] [OT] Email spam
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Wed Aug 28 07:15:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

<jale@xxxxxxxxxx> wrote:
> With my SMTP not responding problem, I did a locate on formmail.cgi and
.pl
> (with all sorts of variations on caps, ie: FormMail, etc., and didn't find
> it on my RAQ3. Any other names it can go by?

Any scripting language can be used to add functionality to a web page to
allow email to be sent.  And that script can be added to a file with any
name and with any file extension so long as your webserver is setup to parse
files with that extension as a particular scripting language.  I've dealt
with this problem before on clients' servers and here's what I do.  I check
/var/log/maillog for timestamps of the script hijacking, then look for
corresponding entries in the Apache log.  If the log entries are still
available it's just a matter of locating the script, then reviewing to
determine whether to modify it to secure it, replace it, delete it or
control acccess to it.  If the log entries are no longer available I
generate a list of all files with .pl, .cgi, .py (Python) and PHP extensions
and another list of all executable files in case there are any I missed by
looking at extensions alone.  Then I go through the files looking for
insecure scripts that allow email to be sent.  I use the programs locate,
find, grep and rpl (not standard, download from laffeycomputer.com) to do
the searches and/or a text editor or more/less/cat to search the code.  I
start by looking at files that have filenames which appear to be good
candidates (any variation of formmail is a red flag) and filenames from
programs that I know have vulnerabilities in current or older versions.
Then I check for function calls like mail() by doing a search for "mail(" or
"mail (". or a variation depending on the scripting language I'm checking.
Sometimes it can take a few minutes to find the offending script(s),
sometimes much longer - depends on the number of scripts, number of lines of
code, and whether it's an easy to catch FormMail script or not.  I can't
find the beginning of this thread so I don't know that you're certain a web
script is responsible, but I've seen several instances recently of an
intruder installing shell scripts to send out bulk email.  So you may want
to check /tmp or any other directories writable by httpd as well for scripts
installed by an intruder.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- Re: [cobalt-users] [OT] Email spam
  - From: jale
- RE: [cobalt-users] [OT] Email spam
  - From: jale

Prev by Date: [cobalt-users] [RaQ 550] Dns entry
Next by Date: Re: [cobalt-users] [OT] Email spam
Previous by thread: Re: [cobalt-users] [OT] Email spam
Next by thread: [cobalt-users] stats strange error

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index