Dan Kriwitsky wrote:
>
>> From there you can start looking for directories related to
>> these accounts
>> or at least change to stronger passwords
>>
>>
>
> Also look for directories with CHMOD 777. On my previous comment I wondered why the access_log didn't show the same time stamp as the maillog. It just occured to me that with a large spam run the mail would be in mailq so the timestamp would be different. You might grep for that domain with /*.cgi or just look for .cgi or .pl scripts owned by that user. Or any executable file owned by that user.
>
>
I'm having a difficult time finding anything. I think maybe the best
solution is to delete the user, set up a new one with a different
username and password, and use the same email address. This user is just
an email person - nothing else on the server. Would this be a good
enough solution? Right now I have the user suspended.
I would like of course to find the problem file and will search for user
owned files (I'm sure I can find the command via google) when I get back
from putting out other fires.
thanks much for the help!!! cheers, Jim
--
Jim Dory
Engineering
City of Nome
PO Box 281
102 Division St.
Nome, AK 99762
907.443.6604
http://www.nomealaska.org
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.