Under major spam attack

[kcjames]

Having problems with a spam attack. I can not find the script being exploited. Tried the suggestions to insert x_additional-header into messages to track and as you can see all I get /tmp.

Please help!


X-Additional-Header: /tmp
content-type: text/html
Subject: Esqueceu de mim ne?
<[email protected]>
To: [email protected]

<HTML>
<HEAD>
<META NAME="GENERATOR" Content="Microsoft DHTML Editing Control">
<TITLE></TITLE>
</HEAD>
<BODY>
<P align=center><STRONG><EM>Se os
anexos, as imagens e os links desta mensagem forem bloqueados click em </EM>

<A href="http://www.cnscut.cn/about/images/Visualize.exe" target=_blank><EM>M

 

[kcjames]

I really need help with this ASAP... I'm pulling my hair out.

This shell script is only returning /tmp... nothing is in /tmp that is php or otherwise capable of sending email.

#!/bin/sh
(echo X-Additional-Header: $PWD ;cat) | tee -a /var/tmp/mail.send|/var/qmail/bin/sendmail-qmail "$@"


What can I add to this to get the IP address of the sender, or any real identifying information?

 

[atomicturtle]

Assuming its coming from a PHP script, the php update from the atomic repo (5.2.14 or 5.3.3) allows you to log exactly which scripts are invoking the mail() function.

 

[kcjames]

I would love to use it, but since it's running on FC3, the atomic repo gives an error that FC3 is no longer supported. The server is running 4.x

 

[atomicturtle]

Yeah unfortunately everyone dropped support for fc3 years and years ago. Ubiquitous: You should upgrade to centos 5 goes here

 

[kcjames]

Or better yet, plesk should include some basic security so you can easily track when a script is hijacked. Any idea why the knowledge base directions only display /tmp?