Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: How to determine which PHP-script allows spamming?

from [Andre Yelistratov] Network Security [Permanent Link]
Subject: Re: How to determine which PHP-script allows spamming?
Date: Sun, 26 Feb 2006 14:36:27 +0300
I would write simple perl wrapper around /usr/sbin/sendmail. It should distinguish between calling scripts and count speed of calls. If the script overwhelms certain threshold - put the letter at some spool for further analysis.

Rainer Duffner wrote: 
Hello,

I have a big problem. Some customer probably got installed a PHP-script that allows to send-out mails with no trace to the original domain it belongs to (we had this before, were pollvote.php was used to install some kind of web-shell - but it was easily detectable which domain it was).

The problem is that I have close to 10000 domains on my cluster.
I tried to correlate httpd-logs with the maillogs, but it didn't lead to anything useful.
I'm currently grep'ing the whole content for some of the email-addresses used, but I'm pessimistic - it may be that the spammer loads even that list from remote - and it takes a lot of time to grep 400 GB.


What options do I have?
Can Snort detect this?

(The webserver uses qmail as MTA)



cheers,
Rainer



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: How to determine which PHP-script allows spamming?, Alex
Next by Date:  R: How to determine which PHP-script allows spamming?, Sebastian \"En3pY\" Zdrojewski
Previous by Thread:  Re: How to determine which PHP-script allows spamming?, Alex
Next by Thread:  R: How to determine which PHP-script allows spamming?, Sebastian \"En3pY\" Zdrojewski
Indexes:  [Date] [Thread] [Top] [All Lists]