Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 30914 invoked from network); 19 Jan 2006 15:29:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 19 Jan 2006 15:29:44 -0000 Received: (qmail 70680 invoked by uid 500); 19 Jan 2006 15:29:31 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 70658 invoked by uid 500); 19 Jan 2006 15:29:30 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 70642 invoked by uid 99); 19 Jan 2006 15:29:30 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2006 07:29:30 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [64.201.176.112] (HELO starfish.visualtech.ca) (64.201.176.112) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jan 2006 07:29:29 -0800 Received: (qmail 3109 invoked by uid 588); 19 Jan 2006 10:03:53 -0500 Received: from ptr-64-201-173-189.ptr.terago.ca (HELO ?10.197.16.79?) (64.201.173.189) by starfish.visualtech.ca with SMTP; 19 Jan 2006 10:03:53 -0500 Message-ID: <43CFAFA1.4060207@visualtech.ca> Date: Thu, 19 Jan 2006 10:26:25 -0500 From: Mark McCulligh User-Agent: Mozilla Thunderbird 0.8 (X11/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: users@httpd.apache.org References: <1137683578.12955.111.camel@localhost> In-Reply-To: <1137683578.12955.111.camel@localhost> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] apache hacked to send spam! X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N It most likely the php mail() function. With the default install/config when the mail() function sends an email it is sent by the Apache user. If it is going to someone you know over and over (aka a client) it could be a contact us page. Mark. maillists wrote: >Hello List, > >I have been trying to isolate attacks on my server where someone is >using apache to send spam from my host. I have been hit quite a bit in >the past 2 days. Some of my websites have web forms, but I'm pretty sure >that they are tight. > >This is a new >line item in my daily Logwatch in the sendmail area that just started to >appear with the spam attacks: > > >Authentication warnings: > apache set sender to info@gmnet.net using -f: 7 Times(s) > >(info@gmnet.net is a real user on my host.) > >Does anybody know what this means? >Where should I start to find the problem? > >I am using Redhat9 >Apache/2.0.40 >php-4.2.2-17.2 >sendmail-8.12.8-9.90 >sendmail-cf-8.12.8-9.90 >mailscanner-4.23-11 >mailscanner-mrtg-0.05-3 >clamav-0.88 >Interchange 5.4 > >Thanks! >Rick > >--------------------------------------------------------------------- >The official User-To-User support forum of the Apache HTTP Server Project. >See for more info. >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org >For additional commands, e-mail: users-help@httpd.apache.org > > > -- ___________________________________________ Mark McCulligh, Web Consultant VisualTech Components www.VisualTech.ca mmcculli@visualtech.ca (519)318-7905 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org