Security problem in apache with forms?

Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 64007 invoked from network); 30 Oct 2007 13:24:55 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Oct 2007 13:24:55 -0000 Received: (qmail 16031 invoked by uid 500); 30 Oct 2007 13:24:18 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 16018 invoked by uid 500); 30 Oct 2007 13:24:18 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 16007 invoked by uid 99); 30 Oct 2007 13:24:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Oct 2007 06:24:18 -0700 X-ASF-Spam-Status: No, hits=3.5 required=10.0 tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,SPF_PASS,WEIRD_PORT X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [62.63.52.10] (HELO alpha.barentsnett.no) (62.63.52.10) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Oct 2007 13:24:32 +0000 Received: from nordb84ca15df9 ([62.63.52.30]) by alpha.barentsnett.no (8.13.8/8.13.8) with ESMTP id l9SFdUko020228 for ; Sun, 28 Oct 2007 15:39:31 GMT From: "Harald Heggelund" To: Date: Tue, 30 Oct 2007 14:29:18 +0100 Organization: NORD Datasenter AS Message-ID: <001a01c81af8$dfe55760$1e343f3e@nordb84ca15df9> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001B_01C81B01.41A9BF60" X-Mailer: Microsoft Office Outlook 11 Thread-Index: Acga+N+bjHhxeFvkT0qaBsfnMvczsQ== X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] Security problem in apache with forms? ------=_NextPart_000_001B_01C81B01.41A9BF60 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hello, Since installing a new slackware server with apache and sendmail out-of-the-box, I have noticed my server is sending (moderate amounts of) spam worldwide. I suspect some webform or cgi-script. In the apache log, I see lots of these entries: "POST http://87.118.100.88/proxy5/check.php HTTP/1.1" 404 297 "POST http://82.228.61.77:49627/Chcks/Data_I.php HTTP/1.1" 404 297 Have no idea what these scripts do (they certainly aren't mine!) but probably they use my localmailer to send spam. I believed external script was supposed to be forbidden (as the 404 may indicate), but maybe there's a bug when calling them from a POST? Any (other) suggestions? ------=_NextPart_000_001B_01C81B01.41A9BF60 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Security problem in apache with forms?

Hello,

Since installing a new slackware server = with apache and sendmail out-of-the-box, I have noticed my server is = sending (moderate amounts of) spam worldwide.

I suspect some webform or cgi-script. = In the apache log, I see lots of these entries:

"POST http://87.118.100.88/proxy5/check.php HTTP/1.1" 404 297
"POST http://82.228.61.77:49627/Chcks/Data_I.php<= FONT FACE=3D"Arial"> HTTP/1.1" 404 297

Have no idea what these scripts do (they = certainly aren't mine!) but probably they use my localmailer to send = spam. I believed external script was supposed to be forbidden (as the = 404 may indicate), but maybe there's a bug when calling them from a = POST?

Any (other) suggestions?

------=_NextPart_000_001B_01C81B01.41A9BF60--