[ale] tracking down a spammer on our box
    Ryan Williams 
    ryan at jimmyether.com
       
    Thu Mar 31 23:48:45 EST 2005
    
    
  
We are running RedHat ES and have someone using our server to send a 
small but steady stream of spam... between 4 and 5 messages per minute, 
so they are smart enough to keep the activity fairly low profile. We've 
already confirmed with ORDB that we are not an open relay. The messages 
are showing up in ps -aux as:
qmailr 19774 0.0 0.0 3436 972 ? S 14:44 0:00 qmail-remote 
remotedomain.com anonymous at server1.ourserver.com randomuser at remotedomain.com
and our maillogs show messages being delivered which are certainly spam:
Mar 31 15:07:02 server1 qmail: 1112299622.785136 starting delivery 
193807: msg 9536773 to remote randomuser at remotedomain.com
Since the messages are being sent by "anonymous", we are pretty sure 
this is a vulnerable PHP script somewhere on the server that is being 
used, but we are having the hardest time tracking down which one(s) is 
the culprit. Is there any way to track down which domain or script was 
used to send these messages?
Thanks!
Ryan
    
    
More information about the Ale
mailing list