On Tue, 23 May 2006, Les Mikesell wrote: > On Tue, 2006-05-23 at 02:45, Paul Howarth wrote: > > > I don't think that's what this is. Form spam takes advantage of > > poorly-coded mail/contact forms and uses them to send mail to recipients > > other than those intended by the form designer. > > > > What's happening here is that the spammer is running their own code > > (downloaded into /tmp) to send the mail, a rather more serious > > situation. An old version of awstats will get you into this club, as will some of the php based forum programs. All it takes is for someone to install one of these in a document root and not keep up with the updates. It is insanely trivial to exploit one of these boxes. It even gets logged in the http logs for all to see. The hardest part if figuring out when it actually happened so you can find it in the logs. > If you have ssh access open there's a fair chance that someone > has done a brute-force password guess. There is a lot of > that going around. Or you didn't apply all of the current > updates before exposing the system to the internet. I suspect if ssh had been compromised that the user would have been something other than apache. The passwd entry for apache generally looks something like this: apache:x:48:48:Apache:/var/www:/sbin/nologin. Given this entry an ssh login as apache would not be possible via brute force passwd attack vectors. Regards, Tom Diehl tdiehl@xxxxxxxxxxxx Spamtrap address mtd123@xxxxxxxxxxxx