Re: [exim] Apache <=> Exim

Top Page
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] Apache <=> Exim
Hi

On Wed, 2008-07-30 at 20:46 -0400, Grant Peel wrote:
> I am thinking a script on one of my servers has a security hole in it. A few
> days ago, the server started sending out huge amounts of spam. I am yet to
> find the culprit.


I already emailed the Apache users list about this with an example of
how to slice'n'dice the Apache access logs to find likely culprits, but
here's a bit more information...

> In the mean time, I am seeing thousands of mailq entries like:
>
> 2008-07-30 18:33:50 1KOKEw-000DG6-77 <= www@??? U=www P=local
> S=2625 T="God Has Chosen You" from <www@???> for
> junebug7004@???


That does rather imply that Apache has either one or both of CGI and PHP
running as a module. I take it you're not using suEXEC (or one of the
many similar wrappers like suPHP) to ensure accountability over whose
scripts are being run?

> I am thinking that I would like to temporarily disble apache's sending of
> email (from FormMail scripts), until I can track down the offending script.
>
> Is there a way I can do it in Exim's configure?


Phil's already given you one way of doing it. That was a nice, elegant
method - an alternative is simply to remove the execute bit from the
exim binary for everyone (chmod 0750 /usr/sbin/exim), but that's a bit
blunt since it affects everyone on the machine.

Graeme