Article 11243 at 07/11/27 01:42:31 From: t.gablunsky (at mark) cbxnet.de Subject: [coba-e:11243] AW: Re: Tracing emails being sent with apache

Index: [Article Count Order] [Thread]
Date:  Mon, 26 Nov 2007 17:42:25 +0100
From:  "Tobias Gablunsky" <t.gablunsky (at mark) cbxnet.de>
Subject:  [coba-e:11243] AW:  Re: Tracing emails being sent with apache
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <01E188343A33DE4E8B1A00D7980BC87901CAEC76 (at mark) s2.combox.de>
X-Mail-Count: 11243

when I once had such a problem, I found the abused script by running
grep POST /var/log/httpd/access_log
Normaly there were some POST's per script a day - in this case there have been thousands...

--
tobias gablunsky
systemtechnik internet

CBXNET combox internet gmbh
L�zowstra��e 105-106
10785 Berlin
Telefon: 030 / 59 00 69 -41; Zentrale: -00
Telefax: 030 / 59 00 69 -99
www.cbxnet.de | support (at mark) cbxnet.de

Amtsgericht Berlin-Charlottenburg HRB 71171
Gesch��tsf�rer: Lutz Treutler
 

> -----Urspr�gliche Nachricht-----
> Von: Gerald Waugh [mailto:gwaugh (at mark) frontstreetnetworks.com] 
> Gesendet: Montag, 26. November 2007 16:06
> An: coba-e (at mark) bluequartz.org
> Betreff: [coba-e:11241] Re: Tracing emails being sent with apache
> 
> MuntadaNet Webmaster wrote on Monday, November 26, 2007 8:27 AM
> > 
> > I am getting a ton of returned mail that is evidently being 
> sent from 
> > my server using the apache user.  I have tried to sift through the 
> > access_log to determine what web site is the culprit to no avail.
> > 
> > Is there any way to turn on some kind of trace logging to find out 
> > when a call to sendmail is made that shows exactly what cgi or php 
> > page executed it.  There is hardly any CGI if at all on my 
> servers so 
> > I am pretty sure this is most likely php mail() call.
> > 
> I had trouble with "contact.php:
> I used this to find the abusers
> cat /var/log/httpd/access_log | grep contact.php Seen many 
> from the same IP address, Also ran; cat /var/log/maillog | 
> grep <the abusers ip>
> 
> I did not find a good fix, just removed all contact.php And 
> used 'mailto' for contact.
> 
> Gerald
> 
> 
> --
> This message has been scanned for viruses and dangerous 
> content by MailScanner, and is believed to be clean.
> 
> 
> 
> 
>