Re: Still after the apache spammer, more info
From: Allodoxaphobia (bit-bucket_at_config.com)
Date: 04/26/05
- Next message: Bev A. Kupf: "Re: Still after the apache spammer, more info"
- Previous message: Newsbox: "Re: sendmail compromised - Somebody help me!"
- In reply to: Ohmster: "Still after the apache spammer, more info"
- Next in thread: Bev A. Kupf: "Re: Still after the apache spammer, more info"
- Reply: Bev A. Kupf: "Re: Still after the apache spammer, more info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Apr 2005 20:58:21 GMT
On Tue, 26 Apr 2005 02:23:07 GMT, Ohmster wrote:
> For anyone following along, the redhat 9 machine that sends tons of spam
> email to the world at large, all by itself. Here is more information,
> hoping that it will prove to be useful in tracking down the unsecured
> files. Quick history, up to date:
>
> Redhat 9 machine on 24/7 ADSL connection, using rp-pppoe to connect and
> give the machine "a real IP address". Machine is a
> server/gateway/firewall for home LAN of 2 XP Pro machines. Machine has 3
> FQDNs, running apache with 3 virtual hosts for the domains. Running phpbb
> 2.0.6 (Can email and coppermine photo gallery 1.2.1 (Can email on one
> virtual host, behind .htaccess directory for user/pass, basic auth. This
> is a family website for web board and photos. Passworded to keep private
> family info more or less private. 2nd vhost is my personal domain,
> nothing of interest, used mostly as an http file server for friends when
> given an direct URL to a file, no directory browsing. 3rd domain a small
> Outlook Express stationery website for a friend, public. Runs openbook
> guestbook 1.2.2 (Can email) for a guestbook. Web root is in /var/www/html
> contains little of interest, just a go away message and phpMyAdmin-2.5.0
> also resides there.
>
> For the most part, the machine is secure and good. All is well. There
> have been episodes of mass spamming of the world at large by apache on
> this machine. All spam emails are sent by apache and accepted by sendmail
> it happens as relay=apache@localhost.
>
> When these episodes of mass spamming occur, the machine will slow to a
> crawl and top reveals a perl process, owned by apache, eating 99% CPU and
> this will continue until you kill the process or it just "finishes"
You (or others with web sites on your machine) don't have an old,
vulnerable version of Matt's formmail.pl in a cgi directory -- do you?
Jonesy -- just thinkin' out loud.
-- | Marvin L Jones | jonz | W3DHJ | linux | Gunnison, Colorado | @ | Jonesy | OS/2 __ | 7,703' -- 2,345m | config.com | DM68mn SK
- Next message: Bev A. Kupf: "Re: Still after the apache spammer, more info"
- Previous message: Newsbox: "Re: sendmail compromised - Somebody help me!"
- In reply to: Ohmster: "Still after the apache spammer, more info"
- Next in thread: Bev A. Kupf: "Re: Still after the apache spammer, more info"
- Reply: Bev A. Kupf: "Re: Still after the apache spammer, more info"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
