Re: [exim] Hijacked "www" user for sending out spam

Pàgina inicial
Delete this message
Reply to this message
Autor: Thomas Hochstein
Data:  
A: exim-users
Assumpte: Re: [exim] Hijacked "www" user for sending out spam
"list1" schrieb:

> I've had some php
> forms played with in the past,


Yes, that would be my first thougt.

> but that leaves at least one entry in the
> http logs accessing the forms in the first place.


And there are none?

> www is listed as trusted_users in
> exim config. Does that make it inherently unsafe or an open relay?


No.

> How can
> you make a call to a server that leaves no trace anywhere other than exim
> log (below).


It may be that someone was able to break into your server using an
unsafe (PHP) script, but not (yet) able to gain root access - he would
then have to act as user www. But if that would be the case, he
probably wouldn't send out spam via your exim but rather start his own
software on your machine ...

> Even log selector set to +all I don't get any extra info that
> would reveal how they accessing me. After 2 minutes that I noticed the
> activity, I shut the server down and left me with almost 3000 pieces in the
> que.


And what do the mails look like, header and body?

-thh