RE: Help with hijacked sendmail
From: Moeller, Arno (am@bogs.de)Date: 09/25/01
- Previous message: m.bizzarri@icube.it: "Re: Floppy Linuxes, Kickstart"
- Maybe in reply to: Dan Abend: "Help with hijacked sendmail"
- Next in thread: Brian Hatch: "Re: spamming via formail.pl"
- Next in thread: Anthony Baratta: "Re: Help with hijacked sendmail"
- Reply: Brian Hatch: "Re: spamming via formail.pl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <805176E0B926D5119CEC0080C894243708F60D@yes.bogs.mit> From: "Moeller, Arno" <am@bogs.de> To: "'focus-linux@securityfocus.com'" <focus-linux@securityfocus.com> Subject: RE: Help with hijacked sendmail Date: Tue, 25 Sep 2001 10:09:03 +0200
Hello,
> I noticed some odd behavior going on in my maillog file. I've
> checked my
> sendmail configuration and have no idea how to get this
> behavior to stop. I
> don't see anything out of the ordinary in any other log. For
> now, sendmail
> is stopped. I don't even know what to try or where to examine
> next. Any
> suggestions are appreciated. This is what I see in the log
> and there are a
> lot of them. (Email addresses have been altered to protect
> the innocent)
I've seen this before... My guess is that this machine is also
running a web-server, since the mails are sent by the user
nobody@localhost, and this webserver is also hosting the
formmail.pl-script. If someone knows the exact location of the
formmail-script, any mail can be sent do anyone by using a well-
crafted URL. I'm not sure wether to go into more detail here,
since there maybe some spammers who do not know how to accomplish
this.
If I'm right, my advise is to go though your webserver-logs and
look for the corresponding formmail-entries. If you find them,
not your sendmail has been "hijacked", but your formmail-scripts.
I've patched formmail in the following way to prevent this from
happening and to log the spamming attempts:
# Determine the form's REQUEST_METHOD (GET or POST) and split the form
#
# fields up into their name-value pairs. If the REQUEST_METHOD was
#
# not GET or POST, send an error.
#
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
# Split the name-value pairs
open (FILE,">>/tmp/spamlog");
print FILE "Date: ".`date`;
print FILE "At Server: ".$ENV{'SERVER_NAME'}."\n";
print FILE "From IP: ".$ENV{'REMOTE_ADDR'}."\n";
print FILE "QUERY-STRING: ".$ENV{'QUERY_STRING'}."\n\n";
close(FILE);
print "Content-type: text/html\n\n";
print "<html>\n <head>\n";
print "</head><body>";
print "Method GET is not allowed! <br>";
print "Your IP is logged due to possible SPAM! <br>";
print "</body></html>";
exit;
Please note that after patching formmail this way any webset using
formmail with the GET-Method will not work anymore.
Best regards,
Arno Moeller
- Previous message: m.bizzarri@icube.it: "Re: Floppy Linuxes, Kickstart"
- Maybe in reply to: Dan Abend: "Help with hijacked sendmail"
- Next in thread: Brian Hatch: "Re: spamming via formail.pl"
- Next in thread: Anthony Baratta: "Re: Help with hijacked sendmail"
- Reply: Brian Hatch: "Re: spamming via formail.pl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
