Article 15763 at 09/06/30 10:08:55 From: webhosting (at mark) yahoo.com Subject: [coba-e:15763] Re: spam problem w/ email

Index: [Article Count Order] [Thread]

Date:  Mon, 29 Jun 2009 18:08:52 -0700 (PDT)
From:  Dan Kriwitsky <webhosting (at mark) yahoo.com>
Subject:  [coba-e:15763] Re: spam problem w/ email - hope not serious
To:  coba-e (at mark) bluequartz.org
Message-Id:  <876189.91068.qm (at mark) web65607.mail.ac4.yahoo.com>
X-Mail-Count: 15763

> 
> From there you can start looking for directories related to
> these accounts
> or at least change to stronger passwords
> 

Also look for directories with CHMOD 777. On my previous comment I wondered why the access_log didn't show the same time stamp as the maillog. It just occured to me that with a large spam run the mail would be in mailq so the timestamp would be different. You might grep for that domain with /*.cgi or just look for .cgi or .pl scripts owned by that user. Or any executable file owned by that user.

-- 
Dan Kriwitsky