SPAM dissemination (was Exim problem)

Alan Cohen alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/ at
Fri Dec 12 16:50:15 UTC 2003

Problem solved.

Recently I found that my server was being used to disseminate SPAM. I
suspected my exim mail server was being used somehow as as open relay. 

>From mail server:		telnet 25
The results of more than a dozen tests appear in your telnet session.
In my case, the results suggested that my server was not an open relay.

A suggestion was made that my system had been hacked and that I should
try tcpdump'ing on the firewall when the incursion was occurring, but
something else looking suspicious.

Exim's logs said these emails were originating from inside my server and
that the user was "apache". 

hmmm... "apache" is the user that runs the apache web server...
I examined both the time-stamped mail server logs and apache access logs
focusing on the time of one of the email batches. At precisely that
time, I saw a record in the apache access log that said a particular cgi
program was accessed. The culprit -- that cgi program -- was found.

Used "normally", that cgi program was harmless, however it was
exploitable -- and it was being exploited.

-------------------------------------- Please do not respond in HTML
Alan Cohen alan-QVObF66B6qeOg/Yh5kgvkFaTQe2KTcn/
voice: 416-783-9826
fax:   240-269-7457

The Toronto Linux Users Group.      Meetings:
TLUG requests: Linux topics, No HTML, wrap text below 80 columns

More information about the Legacy mailing list