Server downtime

I have a dedicated server using linux and apache that is being exploited by someone using it to relay spam. They have been able to exploit the server via a php formmail script I have been using. I have this script running on dozens of web sites, so changing the script is not the solution. I have since installed a robots.txt blocking these files from being picked up by the spam robots.

I also get messages like this about a virus from one bogus alias on my domain to another bogus alias:

This is a message from the MailScanner E-Mail Virus Protection Service
----------------------------------------------------------------------
The original e-mail attachment "information.zip"
was believed to be infected by a virus and has been replaced by this warning
message.

If you wish to receive a copy of the *infected* attachment, please
e-mail helpdesk and include the whole of this message
in your request. Alternatively, you can call them, with
the contents of this message to hand when you call.

At Sat Apr 1 10:56:49 2006 the virus scanner said:
ClamAV Module: information.ht.scr was infected: Worm.Mytob.CA
MailScanner: Windows Screensavers are often used to hide viruses (information.ht.scr)

Note to Help Desk: Look on the WebDesign MailScanner in /home/virtual/site16/fst/var/spool/mail.quarantine/20060401 (message k31IuZrQ005959).
--
Postmaster
MailScanner thanks transtec Computers for their support

Unfortunately I am a designer and not a programmer so I know next to nothing about how to go about solving this problem and my mail and server are going down too often. I have talked to my server guys but they don't seem to know what do to about it. Can someone recommend a plan of action for me to take to stop this from happening once and for all?

Thank you!

Get the server looked at by a professional system administrator/security expert, so that you can stop this from happening. It's going to end up causing you more problems -- these hackers are like ants, they find a crum and they call more ants!

I think changing of the script is your only solution

Well, new compromises are found every day and sometimes you need to adapt. I am not certain you can keep using the same script if its now exploitable (it probably has been for some time - as we have been seeing this sort of thing for quite awhile)

Best advise I can give you is to 1) install mod_security and the proper rule set to block this sort of injection and 2) change your script to a more secure version that offers some sort of increased authentication

Hope this helps

I would also consider switching to a fully managed dedicated provider or minimally a host with a clue. That is to say that minimally your current host should have told you to disable/rename the script. However I get the impression you are using an unmanged service and they are not going to support these issues. Hence the reason I suggest you switch to a host that will. A compromised server in the hands of a crafty spammer/cracker is a really bad thing ...