[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] How can they do this and how to stop it???
- Subject: Re: [cobalt-security] How can they do this and how to stop it???
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sat, 8 Sep 2001 12:58:13 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Chae,
> Sep 7 17:17:08 ns sendmail[30573]: RAA30573: Authentication-Warning:
> ns.xxxxxxxxxxxxxxxxxxx.com: colour set sender to sdjkfk@xxxxxxx using -f
somebody did run sendmail with the switch "-f" with which you can specify
another sender address than user@xxxxxxxxxxxxxxx This can be done in the
shell, or from a script.
As you have shell access disabled this was most likely a script. Could be a
PERL script, or PHP or even ASP on the RaQ4.
Look at his /web folder and see if there are any PERL scripts or PHP code
which looks fishy. Maybe he's running mailer script, a guestbook or a message
board which does this.
--
With best regards,
Michael Stauber
SOLARSPEED.NET