Possible sendmail exploit driving me nuts

Forum Moderators: phranque

Message Too Old, No Replies

Possible sendmail exploit driving me nuts

I love Linux, but IIS is looking better

grubesteak

9:56 pm on May 21, 2007 (gmt 0)

We have an exploit on our web server that is trying to send out spam.

Although it's blocked from sending at the firewall, our attempts to
disable this particular exploit haven't been successful. It just keeps
running and running, and we can't seem to figure out how to disable it
completely. We could shut off sendmail, but that would cause more
headaches since that's what Apache uses on this server with our forms.

Has anyone ran into something like this? It's pretty frustrating. We
can't figure out how it got on there to begin with, and so far, all we
can do is block what it's trying to send out (as of this writing,
today, was 60,000+ spam, which our firewall has blocked all of).

Thanks in advance.

BananaFish

10:04 pm on May 21, 2007 (gmt 0)

What is the exploit? If it is specific to Sendmail, try a better mail program like Qmail or Postfix. Other than that chances are the problem is your forms being hijacked, which is rather easily remedied.

grubesteak

11:38 pm on May 21, 2007 (gmt 0)

Well, I suppose I'm having a hard time pinpointing what it is exactly. I thought it was a perl script (called a.pl) but that was killed and it started back up again.

How do I look and see where this thing is living? Tried ps aux and haven't really gotten anywhere.

grubesteak

4:05 pm on May 22, 2007 (gmt 0)

Well, as it turns out, it was a poorly-written PHP script.

Lesson learned: kids, lock up your scripts or they're drive you insane. Although, it was a short drive for me.