[ale] tracking down a spammer on our box
Ryan Williams
ryan at jimmyether.com
Thu Mar 31 23:48:45 EST 2005
We are running RedHat ES and have someone using our server to send a
small but steady stream of spam... between 4 and 5 messages per minute,
so they are smart enough to keep the activity fairly low profile. We've
already confirmed with ORDB that we are not an open relay. The messages
are showing up in ps -aux as:
qmailr 19774 0.0 0.0 3436 972 ? S 14:44 0:00 qmail-remote
remotedomain.com anonymous at server1.ourserver.com randomuser at remotedomain.com
and our maillogs show messages being delivered which are certainly spam:
Mar 31 15:07:02 server1 qmail: 1112299622.785136 starting delivery
193807: msg 9536773 to remote randomuser at remotedomain.com
Since the messages are being sent by "anonymous", we are pretty sure
this is a vulnerable PHP script somewhere on the server that is being
used, but we are having the hardest time tracking down which one(s) is
the culprit. Is there any way to track down which domain or script was
used to send these messages?
Thanks!
Ryan
More information about the Ale
mailing list