Dark Mail issue suphp

[PauGasol]

Hi, i'm not sure how to solve this, but only happends on machines with custombuild and suphp, so I post it here.

We have been listed several times this weeks on several ips as spammers.

They use a cgi script, a mini smtp socket relay in fact.
They upload the cgi via ftp, whith legitimate user and pass, some torjan infection in their home or work pcs I guess, they exec cgi through apache and then delete it, in about 4 sec, and left process runing.
We have root owned php.ini in every user whith :
disable_functions = system,system_exec,exec,shell_exec,dl,passthru,ini_restore,popen,proc_open,proc_close
and cgi's disabled in all plans.

Only way to stop this spam is to disable user in da, contact customer to scan and clean their system and change pass and reopen it crossing fingers.
There must be any way to prevent this on servers without safe mode to on.

Thx in advance and regards

 

[PauGasol]

No ideas? Nobody?

 

[tillo]

You are trying to separate malicious users from normal customers that can do the exact same thing with the same accesses: send emails.

Unless you want to cripple mail delivery for every customer, there is no way to stop this unless you teach your customers to choose hard-to-guess FTP password, not to save them in any FTP client, to run Spybot S&D often and to have an antivirus. It's their fault, not yours.

 

[PauGasol]

Hi tillo, thx for reply. I was thinking in something like disable cgi exec to all users, except those who already know a cgi is and ask us to activate it to on.
Something as simple as this could work in the most of the cases I think, and disable cgi exec is something that i cannot do in this config. At least whith all i have already tried.

Regards
Carlos