[cobalt-users] Re: Mail Bomb ... I'm stumped

[Charlie Summers <charlie@xxxxxxxxxx>]

At 10:46 PM -0500 11/21/02, tchong is rumored to have typed:

> Have you actually tried to relay through your Formmail scripts, via the
> browser?

   Everyone seems to be assuming the problem is an old formmail script.
That's the simple answer, but there seems to be a small problem with it...if
it were a straight CGI, it should be running in a wrapper as the user who
owns the virtual site, not httpd. At least that's the standard on Cobalts,
although it is reasonably easy to change in the httpd.conf file. (I won't
even get into the fact that it doesn't _look_ like the output of an old
formmail script.) When I saw it, it looked to me like the output of a PHP
script which _would_ run as httpd; my first reaction was to wonder if there
were any problem with any customers on the box lately, or disagreements, or
other unplesentness which might narrow down the focus of your search. I
wouldn't trust checking access for a PHP script as .php, of course, since
it's trivial to use .htaccess to parse _any_ extension through PHP (I have a
site where _everything_ goes through it, for reasons I won't get into now).
Check all the listings that triggered right before the bomb went off,
regardless of the extension; yeah, I know it's ugly on a busy box, but again,
with .htaccess any extension is possible.

   Given all that, formmail just doesn't seem the likely culprit here.
Personally I'd be looking elsewhere (although I guess a locate formmail can't
exactly hurt, either). Not to frighten you, but have you run chkrootkit with
known good binaries as listed on the www.chkrootkit.org website?

         Charlie

   P.S. For the short term, you could always REJECT mail from httpd in your
/etc/mail/access file...but remember that will also kill any legitimate PHP
scripts, too.

         Me