Grant Peel wrote:
> I am thinking a script on one of my servers has a security hole in it. A few
> days ago, the server started sending out huge amounts of spam. I am yet to
> find the culprit.
In such cases standard precautions apply, I would say. Since it is
possible your server has been broken into. Check for any unknown
processes running, do an ls -al /tmp/ /var/tmp and /dev/shm and see if
you find any oddball files, such as /tmp/...
It's very common for a compromised system to have an irc daemon running
to control bots/botnets and to abuse the MTA to send out spam. Google is
your friend at finding out what to do when your server might be broken into.
> In the mean time, I am seeing thousands of mailq entries like:
>
> 2008-07-30 18:33:50 1KOKEw-000DG6-77 <= www@??? U=www P=local
> S=2625 T="God Has Chosen You" from <www@???> for
> junebug7004@???
If you want to obfuscate you should use example.com/.net/.org instead.
> I am thinking that I would like to temporarily disble apache's sending of
> email (from FormMail scripts), until I can track down the offending script.
>
> Is there a way I can do it in Exim's configure?
I am sure there is, but that way you wouldn't find out the cause, which
I hope is "just" the abuse of a script or such originating from your
webserver. Why not stop apache and see if that stops the spam? Then go
from there.
Also remove all email from the queue which can clearly be idenmtified to
be spam.
http://bradthemad.org/tech/notes/exim_cheatsheet.php may be
helpful. T="Gawd Has Chosen You" looks like an easy indicator. ;-)
Greetings,
Jeroen
