[BlueOnyx:10158] Re: Trojans and backdoors?
Ken - Precision Web Hosting, Inc
kenlists at precisionweb.net
Tue Apr 17 14:11:57 -05 2012
----- Original Message -----
From: "Darren Shea" <dshea at ecpi.com>
To: <blueonyx at mail.blueonyx.it>
Sent: Tuesday, April 17, 2012 10:34 AM
Subject: [BlueOnyx:10150] Trojans and backdoors?
> Our BlueOnyx system seems to have been compromised by some sort of
> php-based
> Trojan which is allowing spammers to send spam through the webserver.
> We're
> having a hard time tracking it down to a particular virtual site, and
> shutting off php for all users is not an option - besides the people using
> WordPress and shopping carts, the SquirrelMail interface breaks when php
> is
> shut off.
>
> Are there any updates which can help with this? We are using the
> SolarSpeed
> 5106R-PHP-5.3.8-SOL3AV package, and given all the issues we had getting
> the
> two different versions of php to play nice on BlueOnyx, we don't want to
> be
> to aggressive with upgrading.
>
> Also, is there a way to simply block the webserver from sending out on
> port
> 25?
>
> Thank you,
> Darren
> ECPI Western Broadband
> (512)257-1077
> (254)213-6116 fax
>
>
Darren
If a php script is sending the spam, check the maillogs for a specific time
when the spam was sent. Then check the
/var/log/httpd/access_log for that time within a few seconds.
e.g.
cat /var/log/httpd/access_log | grep php | grep 17/Apr/2012:01:26
Or, for each site set the from address to be from the admin user and not
apache. For that you'd use
php_admin_value sendmail_path
E.g.
nano -w /etc/httpd/conf/vhosts/site186.include
<Directory /home/.sites/16/site186/web>
php_flag register_globals off
php_admin_value open_basedir
/home/.sites/16/site186/web:/home/solarspeed/php/bin/pear:/home/solarspeed/php/share/pear
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f
the-admin-username-here"
</Directory>
----
Ken Marcus
Precision Web Hosting, Inc.
http://www.precisionweb.net
More information about the Blueonyx
mailing list