Network Security: Detailed info on How to determine which PHP-script allows spamming?

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Incidents

[Top] [All Lists]

How to determine which PHP-script allows spamming?

from [Rainer Duffner] Network Security

[Permanent Link]

Subject:	How to determine which PHP-script allows spamming?
Date:	Fri, 24 Feb 2006 12:23:47 +0100

Hello,

I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).

The problem is that I have close to 10000 domains on my cluster. I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful. I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.


What options do I have?
Can Snort detect this?

(The webserver uses qmail as MTA)

cheers,
Rainer

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
How to determine which PHP-script allows spamming?, Rainer Duffner <= Re: How to determine which PHP-script allows spamming?, Alex Re: How to determine which PHP-script allows spamming?, Andre Yelistratov R: How to determine which PHP-script allows spamming?, Sebastian \"En3pY\" Zdrojewski Re: R: How to determine which PHP-script allows spamming?, Mike Owen Re: Re: How to determine which PHP-script allows spamming?, tyler

Previous by Date:	Re: RE: Bizarre traffic, Ansgar -59cobalt- Wiechers
Next by Date:	Re: RE: Bizarre traffic, Dick St.Peters
Previous by Thread:	announcement: reporting and mitigating botnets, Gadi Evron
Next by Thread:	Re: How to determine which PHP-script allows spamming?, Alex
Indexes:	[Date] [Thread] [Top] [All Lists]