Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Spammer exploiting a PHP site, but can't figure out which site - help!

Posted on 2006-05-21
11
Medium Priority
?
247 Views
Last Modified: 2010-04-22
Hi all,

We have a spammer currently using I assume POST/Register_Globals to abuse an open form and is using our webserver to push spam through the SMTP server.

Problem is, this box runs a lot of websites and I have no idea how to start figuring out which site is the site that needs to be fixed up.


Does anyone have an easy method (or set of strings to grep) to try and parse some logs and work out which site is being exploited?
0
Comment
Question by:Straife
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 16731938
If it uses php/mail() function - remap it to Your custom one to log script name.
Hence You mentioned it's with smtp...
0
 
LVL 3

Expert Comment

by:DVB
ID: 16733074
Ok, the easy way is to remap the mail() function.
There is a patch for PHP which adds the request URL into mail headers.

The fastest solution is to look at your mail logs for the time of email injection. Then look at your webserver logs for every PHP script which was called at that time (+/- 2 seconds if you like). Then you have a list of suspect scripts to watch.

Repeat for a few mail injections and your suspect script should become obvious.
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 16733114
> There is a patch for PHP which adds the request URL into mail headers.
Can You post the link - I have mine one(not released anywhere) - but want to compare.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 3

Accepted Solution

by:
DVB earned 2000 total points
ID: 16733255
0
 

Author Comment

by:Straife
ID: 16739483
Okay, if I'm unable to recompile PHP tho and simply have RedHat build RPMs for it?
0
 
LVL 3

Expert Comment

by:DVB
ID: 16747226
Write a shell script as a sendmail wrapper?
Alternatively, disallow direct submission to sendmail and require use of authenticated port 25 submissions.
0
 

Author Comment

by:Straife
ID: 16804754
Any example of a shell script you can guide me to?

As I understand it, I'd then point php.ini to this script which wraps it back to the proper binary - but my mind is blank on how to pass all the relevant arguments through such a script.
0
 
LVL 3

Expert Comment

by:DVB
ID: 16832072
Hmmm, I can't think of a way to pass the name of the calling script to the sendmail wrapper. I suspect that the correct fix would be to replace the PHP mail function, or simply require that all submissions be done via authenticated SMTP.
0
 
LVL 3

Expert Comment

by:DVB
ID: 16832082
I would like to repeat that correlating your Apache and mail logs should do the trick.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16840011
0
 

Author Comment

by:Straife
ID: 16919822
I bit the bullet and recompiled, thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month11 days, 4 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question