Re: How to determine which PHP-script allows spamming?
- From: Andre Yelistratov <andre@xxxxxxxxxxx>
- Date: Sun, 26 Feb 2006 14:36:27 +0300
I would write simple perl wrapper around /usr/sbin/sendmail. It should distinguish between calling scripts and count speed of calls. If the script overwhelms certain threshold - put the letter at some spool for further analysis.
Rainer Duffner wrote:
Hello,
I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).
The problem is that I have close to 10000 domains on my cluster.
I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful.
I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.
What options do I have?
Can Snort detect this?
(The webserver uses qmail as MTA)
cheers,
Rainer
- References:
- How to determine which PHP-script allows spamming?
- From: Rainer Duffner
- How to determine which PHP-script allows spamming?
- Prev by Date: Re: How to determine which PHP-script allows spamming?
- Next by Date: R: How to determine which PHP-script allows spamming?
- Previous by thread: Re: How to determine which PHP-script allows spamming?
- Next by thread: R: How to determine which PHP-script allows spamming?
- Index(es):
