Vernon,
While trying to help you with your issue, my server was attacked with a relay attack.
This does not mean you should not do what I've advised. But in a very painful two hour period I have learned more.
If you have cgi formscripts, you need this code near the top:
@referers = ('67.94.143.147','67.94.143.147');
@recipients = ('yourname@yourdomain.com');
You may need this depending on what kind of form you are using:
if ( $sender ne "yourname\@yourdomain.com" )
{
print "Content-type: text/html\r\n\r\n";
print "
Hijacking of scripts is ILLEGAL!
Your
ip address, $ENV{'REMOTE_ADDR'} has been recorded, as
as well as the date and time.
$refer
$ENV{'HTTP_REFERER'}
";
exit(0);
}
This code is a retrofit for formmail scripts that lets you stop people from using your scripts to send their mail.
I've come pretty close to closing all the holes, so when the attacker found a weak script he/she/it queued up a bunch of mail for later delivery.
mailq spots it
rm -f /var/spool/mqueue/*
Will clean out the mail queue. Good mail as well as bad will die an untimely death.
I actually saw messages queued up to go to aol.com scheduled for the next 24 hours.
Also, here is the code of robots.txt
It should keep folks out of your cgi-bin directory.
User-agent: *
Disallow: /cgi-bin
Disallow: /server-cgi
Disallow: /images
#
# Standard robot exclusion entries- PLEASE DO NOT DELETE!
#
We should exchange notes and help each other on this issue. You may have been exploited in a way that I don't know about.
I will keep up my end and feel free to update me with anything you discover.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
