Re: [cobalt-users] Mail Bomb ... I'm stumped

[Andy Brown <andy.brown@xxxxxxxxxxxxx>]

<snip>
> > seems a little more malicious and likely less
> > sophisticated, but I wouldn't
> > rule out something like what I've encountered
> > before.  Ursula, please keep
> > in mind that my theory isn't the only plausible
> > theory, but I hope my
> > experience with this sort of thing helps you in your
> > investigation and any
> > others who may run into something similar.  And I'd
> > definitely install/run
> > chkrootkit, though that's not the be all end all of
> > security.
>
> All of the variations of the email have been in a
> similarly childish vain - "Bite me", "I'm the
> greatest", and other similar drivel.
> Thanks for your helpful reply. My main suspects are
> still a disguised php file, or maybe a Frontpage
> exploit, but digging up the culprit is proving to be
> an enormous headahce.
</snip>

Unfortunately not easy with 160+ sites on there. Only thing I can add is to 
continually
tail -f /home/log/httpd/access |grep POST
and have a look see what scripts people are posting to. That should help you 
narrow down the cuplrit, although again a busy server is likely to have quite 
a few running.

You say that the logs didnt show anything about the time of the first email, 
its possible that the first email was actually sent a long time before you 
got the email back into the httpd mailbox, due to the usual mail-daemon 
retries.

Also, we're all focusing on the public httpd daemon, it may also be worth 
checking the admserv logs aswell, since its not impossible that this was 
breached, or a dangerous file uploaded to that part of the server.

Hopefully you're getting closer to tracking this one down, i'm interested in 
the outcome for sure!

Regards,
Andy
andy@xxxxxxxxxx
http://www.raqpak.com/