Hi ...

The past week I have been inundated with bounced emails I did not send. I have (for the past few weeks) been testing XOOPS & PHP-Nuke in seperate directories (& their own DB's) on the same webspace ... just testing and trying various modules etc.

I suspected someone has "hijacked" a script in one of the installations and was using it to send out their spam. Neither site was open for registered users or signups or anything ... there was only me as admin set up ... although anyone could view the sites. I do not have formmail.pl or anything like it installed ... so the problem must be with one of the installations.

I use WHM/Cpanel (which has had issues in the past) but am using the latest build, I think (version 8.8.0 - R73). I have 5 other domains and provide space for 6 friends websites. All use the same Cpanel version ... and my test site is the only one that has experienced this problem.

Because I have decided to "go with" XOOPs ... I was intending to eventually delete the test sites and their databases and start from scratch again. Just not quite this soon ... but I deleted everything yesterday. Since then I have had no more bounces. But I am finding myself kind of hesitant to install anything until I can figure out where & how this "breach" happened.

I have searched this site ... and have found nothing on this specific issue. I searched PHP-Nuke & Nukecops site ... and I did find references to the exact problem there. Trouble is ... those references did not indicate a problem (or they would not admit to a problem with their CMS) ... rather they blamed it on WHM/Cpanel ... which I am pretty sure is not the problem in my instance.

Does anyone know if this "might" be a problem with Xoops? Or if its a definite problem with PHP-Nuke? Anyone have suggestions on what steps or measures I should take when I reinstall XOOPS to make sure it will not or cannot happen in the future? Anyone know of any specific modules I should avoid using that might be the cause or a contributing factor to my problem?

Any and all comments and/or suggestions will be appreciated.

Thanks much
Peter

I cannot say for sure. Don't want to be referenced as someone, who is just shifting blame

All I know is that we have not had reports of such problems with XOOPS - rather the contrary, where it wouldn't send mails when it actually should do so

WOW ... now THAT was quick

I was just about to edit my post when I saw your response ... Thanks Mithrandir.

I was going to ad a P.S. at the bottom ... that I was pretty sure the problem was PHP-Nuke ... and NOT XOOPS or Cpanel.

I guess I am basically looking for assurances that what I am thinking is the problem is also thought to be the problem by others with more knowledge than me. I think you just did that

Thanks again. Anyone else want to share their thoughts on the subject?

Peter

Re:

formmail.pl

Interesting....in my server stats...that file is repeatedly searched for (and not found)...so either there are robots out there or some other weird thing!

Such security is an issue of concern for me as well....
nothing turns off users more than spam...and would hate to think I contributed in anyway.

-I also notice with a module...and I won't mention it by name (because I cant say with certainity)...but upon installation of it I usually get an influx of junk mail...from a specific region.....it completely comfuses me. And most likey is just an odd coincidence.

Anyways..
Yes whats the deal with formail being searched for?

DobePhat ...

Yes ... there are well known security issues with formmail.pl (and a few of the formmail clones too I think). They are easily compromised or "hijacked" by spammers. It seems by the time the developers of the programs have fixed one security problem the spammers have already figured out how to hijack the fix.

I too have had people visiting my sites trying to find a formmail program. I do not allow formmail or its clones on any of my sites or web space I provide to friends. I used to report the attempts to the users ISP hoping they could determine who was using the IP at the time the attempt was made. Not once did any of the ISP's seem to take action or anything. So in a dramatically "over the top" attempt to light a fire under the ISP's butt ... when an attempt is made now ... I send the info to the ISP and when one of their IPs is used for a 3rd time ... I ban all IP's assigned to that ISP. I tell them to let me know when the problem with their user(s) is resolved ... then I will remove thier IP numbers from the banned list.

I usually get 4000 to 6000 unique visitors a week on the site that seems to get hit the most ... and I was a little concerned I might end up banning hundreds of visitors. But I started this a few months ago and the numbers have remained constant. The only ISP I have a chronic problem with that I haven't yet banned is AOL ... and I am getting close to the point where I will ban them and all their users. When I started the banning of IPs ... I was getting at least one person daily trying to find formmail or a version of it. Now ... I get maybe one every 4 or 6 weeks. So my solution might be over the top but it seems to be working