You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by maillists <li...@gmnet.net> on 2006/01/19 16:12:57 UTC
[users@httpd] apache hacked to send spam!
Hello List,
I have been trying to isolate attacks on my server where someone is
using apache to send spam from my host. I have been hit quite a bit in
the past 2 days. Some of my websites have web forms, but I'm pretty sure
that they are tight.
This is a new
line item in my daily Logwatch in the sendmail area that just started to
appear with the spam attacks:
<snip>
Authentication warnings:
apache set sender to info@gmnet.net using -f: 7 Times(s)
</snip>
(info@gmnet.net is a real user on my host.)
Does anybody know what this means?
Where should I start to find the problem?
I am using Redhat9
Apache/2.0.40
php-4.2.2-17.2
sendmail-8.12.8-9.90
sendmail-cf-8.12.8-9.90
mailscanner-4.23-11
mailscanner-mrtg-0.05-3
clamav-0.88
Interchange 5.4
Thanks!
Rick
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache hacked to send spam!
Posted by maillists <li...@gmnet.net>.
On Thu, 2006-01-19 at 10:26 -0500, Mark McCulligh wrote:
> It most likely the php mail() function. With the default install/config
> when the mail() function sends an email it is sent by the Apache user.
>
> If it is going to someone you know over and over (aka a client) it could
> be a contact us page.
>
> Mark.
>
> maillists wrote:
Thanks Mark,
The spam is going out to many outside addresses of the world (sorry
everybody, I need to be sentenced to community service or something for
this)
Does anybody know what the following is in my Logwatch under sendmail
area?
<snip>
Authentication warnings:
apache set sender to lists@gmnet.net using -f: 7 Times(s)
</snip>
Thanks Again! and I apologize if any of you got hit by the spam!
Rick
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache hacked to send spam!
Posted by Mark McCulligh <mm...@visualtech.ca>.
It most likely the php mail() function. With the default install/config
when the mail() function sends an email it is sent by the Apache user.
If it is going to someone you know over and over (aka a client) it could
be a contact us page.
Mark.
maillists wrote:
>Hello List,
>
>I have been trying to isolate attacks on my server where someone is
>using apache to send spam from my host. I have been hit quite a bit in
>the past 2 days. Some of my websites have web forms, but I'm pretty sure
>that they are tight.
>
>This is a new
>line item in my daily Logwatch in the sendmail area that just started to
>appear with the spam attacks:
>
><snip>
>Authentication warnings:
> apache set sender to info@gmnet.net using -f: 7 Times(s)
></snip>
>(info@gmnet.net is a real user on my host.)
>
>Does anybody know what this means?
>Where should I start to find the problem?
>
>I am using Redhat9
>Apache/2.0.40
>php-4.2.2-17.2
>sendmail-8.12.8-9.90
>sendmail-cf-8.12.8-9.90
>mailscanner-4.23-11
>mailscanner-mrtg-0.05-3
>clamav-0.88
>Interchange 5.4
>
>Thanks!
>Rick
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
___________________________________________
Mark McCulligh, Web Consultant
VisualTech Components www.VisualTech.ca
mmcculli@visualtech.ca
(519)318-7905
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] apache hacked to send spam!
Posted by Ken Robinson <ke...@rbnsn.com>.
Quoting maillists <li...@gmnet.net>:
> Hello List,
>
> I have been trying to isolate attacks on my server where someone is
> using apache to send spam from my host. I have been hit quite a bit in
> the past 2 days. Some of my websites have web forms, but I'm pretty sure
> that they are tight.
Are these forms proccesed with PHP? Has the code been checked to make
sure it is
immune to the PHP Mail Injection that surfaced last summer?
>
> This is a new
> line item in my daily Logwatch in the sendmail area that just started to
> appear with the spam attacks:
>
> <snip>
> Authentication warnings:
> apache set sender to info@gmnet.net using -f: 7 Times(s)
> </snip>
> (info@gmnet.net is a real user on my host.)
In PHP, you can use the fifth parameter to the mail() function to set certain
attributes in the SMTP header. If the programmer uses '-f user@domain.name',
the "Return-path:" header is set to 'user@domain.name'. Some email
systems are
now rejecting the email if the domain name in the Return-path header is
not the
same as the domain name in the "From:" header.
This warning and the spam probably are not connected
> I am using Redhat9
> Apache/2.0.40
> php-4.2.2-17.2
PHP 4.2.2 is rather old. I would suggest upgrading to at least 4.10 or 4.11
Ken
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org