What are you seeing in /var/log/httpd/access_log? Do you have formmail.pl installed in /var/www/cgi-bin? If so you may have been used as an open relay to forward spam. Grep /var/log/httpd/access_log for w00t that is the message the formail vulnerable scanners return to the source of the scan. Al At 02:41 PM 2/2/2002 -0500, Ryan Hairyes wrote: >Hello all. > > >I am having some trouble and would like to know if someone can help me out. >Right now my mailserver (RedHat 7.2) is being used by unwanted guest to >attack adult sites via port 80 (Apache 1.3.20). When I run a netstat -an >on my system I can "see" them connected to my machine. I have snort and >have run that as well and sure enough they are there. It seems as though >they are using my apache to do brute force password cracking on these adult >sites. Thanks in advance. > >Ryan > > >-------------------- >Ryan Hairyes >Network Administrator -- Lee County School System >919.774.6226 x 1252 >rhairyesat_private > > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 10:06:48 PST