Hi, i'm not sure how to solve this, but only happends on machines with custombuild and suphp, so I post it here.
We have been listed several times this weeks on several ips as spammers.
They use a cgi script, a mini smtp socket relay in fact.
They upload the cgi via ftp, whith legitimate user and pass, some torjan infection in their home or work pcs I guess, they exec cgi through apache and then delete it, in about 4 sec, and left process runing.
We have root owned php.ini in every user whith :
disable_functions = system,system_exec,exec,shell_exec,dl,passthru,ini_restore,popen,proc_open,proc_close
and cgi's disabled in all plans.
Only way to stop this spam is to disable user in da, contact customer to scan and clean their system and change pass and reopen it crossing fingers.
There must be any way to prevent this on servers without safe mode to on.
Thx in advance and regards
We have been listed several times this weeks on several ips as spammers.
They use a cgi script, a mini smtp socket relay in fact.
They upload the cgi via ftp, whith legitimate user and pass, some torjan infection in their home or work pcs I guess, they exec cgi through apache and then delete it, in about 4 sec, and left process runing.
We have root owned php.ini in every user whith :
disable_functions = system,system_exec,exec,shell_exec,dl,passthru,ini_restore,popen,proc_open,proc_close
and cgi's disabled in all plans.
Only way to stop this spam is to disable user in da, contact customer to scan and clean their system and change pass and reopen it crossing fingers.
There must be any way to prevent this on servers without safe mode to on.
Thx in advance and regards
Last edited: