Article 11248 at 07/11/27 13:46:33 From: webmaster (at mark) muntada.com Subject: [coba-e:11248] Re: AW: Re: Tracing emails being sent with apache

Index: [Article Count Order] [Thread]
Date:  Mon, 26 Nov 2007 23:46:22 -0500
From:  MuntadaNet Webmaster <webmaster (at mark) muntada.com>
Subject:  [coba-e:11248] Re: AW:  Re: Tracing emails being sent with  apache
To:  coba-e (at mark) bluequartz.org, <coba-e (at mark) bluequartz.org>
Message-Id:  <200711270446.lAR4kRiZ029870 (at mark) huda.muntadanet.com>
In-Reply-To:  <01E188343A33DE4E8B1A00D7980BC87901CAEC76 (at mark) s2.combox.de>
References:  <01E188343A33DE4E8B1A00D7980BC87901CAEC76 (at mark) s2.combox.de>
X-Mail-Count: 11248

So far, I had already tried Gerald's and your 
technique before sending out the SOS.  So I am 
still stuck.  I can't seem to find something that 
is showing a large amount of repetition in the logs.

If anyone has any other ideas, I am definitely in 
need of one.  I normally find these things but this time I am stuck.

-Rashid

At 11:42 AM 11/26/2007, Tobias Gablunsky wrote:
>when I once had such a problem, I found the abused script by running
>grep POST /var/log/httpd/access_log
>Normaly there were some POST's per script a day 
>- in this case there have been thousands...
>
>--
>tobias gablunsky
>systemtechnik internet
>
>CBXNET combox internet gmbh
>L�zowstra��e 105-106
>10785 Berlin
>Telefon: 030 / 59 00 69 -41; Zentrale: -00
>Telefax: 030 / 59 00 69 -99
>www.cbxnet.de | support (at mark) cbxnet.de
>
>Amtsgericht Berlin-Charlottenburg HRB 71171
>Gesch��tsf�rer: Lutz Treutler
>
>
> > -----Urspr�gliche Nachricht-----
> > Von: Gerald Waugh [mailto:gwaugh (at mark) frontstreetnetworks.com]
> > Gesendet: Montag, 26. November 2007 16:06
> > An: coba-e (at mark) bluequartz.org
> > Betreff: [coba-e:11241] Re: Tracing emails being sent with apache
> >
> > MuntadaNet Webmaster wrote on Monday, November 26, 2007 8:27 AM
> > >
> > > I am getting a ton of returned mail that is evidently being
> > sent from
> > > my server using the apache user.  I have tried to sift through the
> > > access_log to determine what web site is the culprit to no avail.
> > >
> > > Is there any way to turn on some kind of trace logging to find out
> > > when a call to sendmail is made that shows exactly what cgi or php
> > > page executed it.  There is hardly any CGI if at all on my
> > servers so
> > > I am pretty sure this is most likely php mail() call.
> > >
> > I had trouble with "contact.php:
> > I used this to find the abusers
> > cat /var/log/httpd/access_log | grep contact.php Seen many
> > from the same IP address, Also ran; cat /var/log/maillog |
> > grep <the abusers ip>
> >
> > I did not find a good fix, just removed all contact.php And
> > used 'mailto' for contact.
> >
> > Gerald
> >
> >
> > --
> > This message has been scanned for viruses and dangerous
> > content by MailScanner, and is believed to be clean.
> >
> >
> >
> >
> >

*****************************************************************
MuntadaNet Web Hosting and Web Design Services
http://www.muntada.com

Sales - sales (at mark) muntada.com
Support - support (at mark) muntada.com
Billing - billing (at mark) muntada.com

Main Office - 808-689-6092
Fax - (808) 356-0279
*****************************************************************