Hi,

I was having a spam problem where the server is being injected through php (XSS) and is being used as a spammer.

I have added mod_security to the apache setup to avoid this. That has solved the problem of dinky php injections.

Sendmail is still sending quite a bit of spam. I was told of an injection through anon. ftp sites to get past the mod_security setup. Then the hacked would execute a link on a particular site to trigger the injection passed through ftp.

My question:

Is this ftp style injection possible? If so, how can I find out if it is the case with my server? Also if there is anything I can setup agenst this style of injection on my server?

Thank you for your help...

WuHaa!!!

Sendmail is still sending quite a bit of spam.
Then not all XSS where fixed?
Or are you running an open relay by any chance?
Does any logging show any clues?


I was told of an injection through anon. ftp sites to get past the mod_security setup. Then the hacked would execute a link on a particular site to trigger the injection passed through ftp. Is this ftp style injection possible?
Any more details on what you've been told? If PHP is not in safemode (fopen*) then protocol or location doesn't matter AFAIK.


If so, how can I find out if it is the case with my server? Also if there is anything I can setup agenst this style of injection on my server?
Check if you can apply all basic PHP security measures. Check developer/maintainer/community support for the PHP-based SW you run to see if new releases fix any XSS holes. If no support is given or no fixes are available or if it's homebrew you could use http://www.owasp.org/index.php/Cross_Site_Scripting, http://ha.ckers.org/xss.html and http://phpsec.org/library/ as a starting point to audit the code yourself, or use something like http://quickwired.com/kallahar/small...r_function.php and http://forum.hardened-php.net/viewto...p?pid=291#p291. http://www.acunetix.com/security-audit/ could also be helpful in determining XSS vulnerabilities.