Re: [exim] Hijacked "www" user for sending out spam

Pàgina inicial
Delete this message
Reply to this message
Autor: list1
Data:  
A: exim-users
Assumpte: Re: [exim] Hijacked "www" user for sending out spam
>"list1" schrieb:
>
>... ...
>
>> How can
>> you make a call to a server that leaves no trace anywhere other than exim
>> log (below).
>
>It may be that someone was able to break into your server using an
>unsafe (PHP) script, but not (yet) able to gain root access - he would
>then have to act as user www. But if that would be the case, he
>probably wouldn't send out spam via your exim but rather start his own
>software on your machine ...


Just a follow-up note to "Hijacked "www" user": I have prepended every php
request to see how mail() is being used and it looks like SquirrelMail was
the way in. Below is the info that my added code captured. Since the user
agent is "empty", I figure these attempts were through telnet. Thanks for
all responses.



"
Stopped possible mail-injection @ www.dnsbureau.com by 66.28.32.44
(27/03/2006 13:53:04)

*** IP/HOST
66.28.32.44

*** USER AGENT
empty

*** REFERER
http://www.dnsbureau.com/

*** REQUEST URI
/webmail/src/redirect.php

*** REQUEST METHOD
POST


you
(anti-spam-content-type:) multipart/alternative;
boundary=5a8d85989bb222c230d4e6c8d4910726
(anti-spam-mime-version:) 1.0
Subject: us hou canst accomplish and thou
(anti-spam-bcc:) jmpatton2OOO@???

This is a multi-part message in MIME format.

--5a8d85989bb222c230d4e6c8d4910726
(anti-spam-content-type:) text/plain; charset="us-ascii"
(anti-spam-mime-version:) 1.0
Content-Transfer-Encoding: 7bit

soul. e have accompanied him to is sleeping chamber his bed was well
prepared have
--5a8d85989bb222c230d4e6c8d4910726--

.

----

====
array (
'login_username' => 'she5810@???',
'secretkey' => 'you
Content-Type: multipart/alternative;
boundary=5a8d85989bb222c230d4e6c8d4910726
MIME-Version: 1.0
Subject: us hou canst accomplish and thou
bcc: jmpatton2OOO@???

This is a multi-part message in MIME format.

--5a8d85989bb222c230d4e6c8d4910726
Content-Type: text/plain; charset=\\"us-ascii\\"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

soul. e have accompanied him to is sleeping chamber his bed was well
prepared have
--5a8d85989bb222c230d4e6c8d4910726--

.
',
'js_autodetect_results' => 'she5810@???',
'SUBMIT4' => 'she5810@???',
'just_logged_in' => 'she5810@???',
)
==== "