On Wed, 2008-07-30 at 20:46 -0400, Grant Peel wrote: > I am thinking a script on one of my servers has a security hole in it. A few
> days ago, the server started sending out huge amounts of spam. I am yet to
> find the culprit.
I already emailed the Apache users list about this with an example of
how to slice'n'dice the Apache access logs to find likely culprits, but
here's a bit more information...
> In the mean time, I am seeing thousands of mailq entries like:
>
> 2008-07-30 18:33:50 1KOKEw-000DG6-77 <= www@??? U=www P=local
> S=2625 T="God Has Chosen You" from <www@???> for
> junebug7004@???
That does rather imply that Apache has either one or both of CGI and PHP
running as a module. I take it you're not using suEXEC (or one of the
many similar wrappers like suPHP) to ensure accountability over whose
scripts are being run?
> I am thinking that I would like to temporarily disble apache's sending of
> email (from FormMail scripts), until I can track down the offending script.
>
> Is there a way I can do it in Exim's configure?
Phil's already given you one way of doing it. That was a nice, elegant
method - an alternative is simply to remove the execute bit from the
exim binary for everyone (chmod 0750 /usr/sbin/exim), but that's a bit
blunt since it affects everyone on the machine.
