[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] How can they do this and how to stop it???

Subject: Re: [cobalt-security] How can they do this and how to stop it???
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Sat, 8 Sep 2001 12:58:13 +0200
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Chae,

> Sep  7 17:17:08 ns sendmail[30573]: RAA30573: Authentication-Warning:
> ns.xxxxxxxxxxxxxxxxxxx.com: colour set sender to sdjkfk@xxxxxxx using -f

somebody did run sendmail with the switch "-f" with which you can specify 
another sender address than user@xxxxxxxxxxxxxxx This can be done in the 
shell, or from a script.

As you have shell access disabled this was most likely a script. Could be a 
PERL script, or PHP or even ASP on the RaQ4.

Look at his /web folder and see if there are any PERL scripts or PHP code 
which looks fishy. Maybe he's running mailer script, a guestbook or a message 
board which does this.

-- 

With best regards,

Michael Stauber
SOLARSPEED.NET

Follow-Ups:
- Re: [cobalt-security] How can they do this and how to stop it???
  - From: John Bailey

References:
- [cobalt-security] How can they do this and how to stop it???
  - From: Render-Vue

Prev by Date: [cobalt-security] How can they do this and how to stop it???
Next by Date: [cobalt-security] Interpreting Log Files?
Previous by thread: [cobalt-security] How can they do this and how to stop it???
Next by thread: Re: [cobalt-security] How can they do this and how to stop it???

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index