Results 1 to 9 of 9
  1. #1

    mail form compromised ??

    I have a pretty large site with a few different mail scripts. I am using modified versions of Jack's Formmail and also my own. I have been getting some spam recently and I believe it is coming from one of those scripts but I don't know which one. Is there a way to identify the script that is being used. I have checked the http access logs and haven't really seen anything that looks like it could be some one misusing any of the forms. Here are the headers of the spam.

    Mreply: read error from []
    [email protected]
    ${daemon_flags}c u
    [email protected]
    MDeferred: Connection reset by []
    C:[email protected]
    rRFC822; [email protected]
    RPFD:[email protected]
    H?P?Return-Path: <g>
    H??Received: (from [email protected])
    by (8.13.8/8.13.8/Submit) id nAI3AdIP030555;
    Tue, 17 Nov 2009 22:10:39 -0500
    H?D?Date: Tue, 17 Nov 2009 22:10:39 -0500
    H?M?Message-Id: <[email protected]>
    H??X-Authentication-Warning: apache set sender to [email protected] using -f
    H??To: [email protected]
    H??Subject: Comunicazioni sicure da BancoPosta 17/11/09
    H??From: Poste Italiane S.p.A. <[email protected]>
    H??MIME-Version: 1.0
    H??Content-Type: text/html
    H??Content-Transfer-Encoding: 8bit

    So is this an injection, it defently seems as though it is a php hack because of this line

    H??X-Authentication-Warning: apache set sender to [email protected] using -f

    but I haven't found any documentation that would lead me to believe it is the Jacks Formmail script. Anyone have any ideas or suggestions to point me in the right direction.


  2. #2
    Join Date
    Feb 2006
    Buffalo NY
    Depending on your MTA check the maillogs - it should give you more of a hint of what is sending the mail (ex: /var/log/exim_mainlog for Exim, etc)
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.

  3. #3
    I am just using sendmail, no control panel or anything. I check /var/log/maillog but nothing in there tells me which script is being used.

  4. #4
    I would think that the http access logs would show multiple connections to the compromised script but I don't see anything like.

  5. #5
    Join Date
    Apr 2002
    You will need to check the access log for the account for the time period around Tue, 17 Nov 2009 22:10:39 -0500 to see what script was accessed around this time to send out mail.

  6. #6
    I did that. The only thing I saw that looked suspicious was this... - - [17/Nov/2009:21:55:48 -0500] "POST //includes/mailform.php HTTP/1.1" 302 -

    According to /var/log/maillog the first mail to be processed by sendmail was...

    Nov 17 21:54:05 mail sendmail[5229]: nAI2s58s005229: Authentication-Warning: apache set sender to [email protected] using -f

    Nov 17 21:54:05 mail sendmail[5229]: nAI2s58s005229: [email protected], size=2369, class=0, nrcpts=1, msgid=<[email protected]>, [email protected]

    Nov 17 21:54:05 mail sendmail[5229]: nAI2s58s005229: [email protected], [email protected] (48/48), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=32369, relay=[] [], dsn=2.0.0, stat=Sent (nAI2s5ij005238 Message accepted for delivery)

    So the mailform access is after the actual spam started, so I doubt that was the spammer. But that is the only time a mail script was access within the time period of when the spam started. Thats what has me stumped it looks like a script is being access on my server but I can't find any evidence of it. Doesn't make sense to me.

  7. #7
    Is it possible to access a compromised script and send a spam email blast for 3 hours and not have any httpd access log entries? Am I even looking in the right place. Could this be somekind of sendmail hack. Any help would be greatly appreciated.

  8. #8
    Figured it out, we are using for our website blog and the directory that we upload the blog files to had a rogue script that got uploaded by the spam attacker. The blog directory did have unnecessarily open permissions (777) but the attacker would have still needed to use a script on my server to write to that directory, which doesn't exist, or is there a security hole in that he could have used to upload the those files. The owner and group that was assigned to the file was apache instead of the ftp user name that uses to upload so the attacker didn't hack our account. I have obviously changed the perms on this directory but I want to be sure it doesn't happen again. Any ideas would be helpful.

  9. #9
    Join Date
    Feb 2005
    If you check the logs for all sites on the server at the creation time of the rogue script, you might find out what was used to write it (and yes, if it's apache-owned then it almost certainly was written by another script on your server). In any case you should disallow PHP and CGI execution in all uploads directories.

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

Similar Threads

  1. Mail Accounts Being Compromised?
    By hpprod in forum Hosting Security and Technology
    Replies: 3
    Last Post: 05-16-2006, 03:02 PM
  2. E-mail form
    By Sops in forum Web Design and Content
    Replies: 4
    Last Post: 01-08-2006, 05:52 AM
  3. Form Mail
    By a1nerd in forum Programming Discussion
    Replies: 2
    Last Post: 01-03-2006, 09:04 PM
  4. Form processor (form to mail) script
    By vlasyuk in forum Other Offers & Requests
    Replies: 7
    Last Post: 05-22-2003, 08:50 AM
  5. Mail form
    By syanet in forum Dedicated Server
    Replies: 10
    Last Post: 04-01-2001, 01:57 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts