Attached Link: http://www.securityfocus.com

> Quote - I'll repeat the crucial line here: Members systems are most likely infected with trojans generating spam. So what do you think you prove with above mentioned actions? > What guarantees do you have that the system used by the person you sent an email to is not generating spam (with a possible spoofed alias)!!!

Ooookay... Andy: This is coming from a systems administrator (*nix, Linux, BSD, and I stopped bothering with the MCSE since Win2k because my CV is too damned cluttered as it is) who has to deal with lots of fun stuff of a very similar nature, but for a much larger corporation (and in a hybrid environment where things change all the time, but that's not important). In short, I'm not exactly the average user here. So please, keep any condescention and potential snobbery in check - at least for long enough to read this... First: Rendo uses PHP, hard. PHP has a nasty habit of leaking all over the place (speakin' of which, are you people allergic to Java or something? But I digress...) The list of vulns due to poor coding practices, buggy control sets, and the overall craptastic nature of PHP itself - let's just say that the exploits are legion. A site of this size using PHP is IMHO frightening. Fortunately, you don't get any email addys out of me that I don't already have filtered 900 ways from Sunday. My filters started seeing an increase roughly about the same time that others in here have been seeing problems, and a handful have actually managed to slip through before spamassassin's heuristics managed to adapt to it. Thing is, I don't use Windows. While I will never claim that any OS is safe, I find it highly interesting that your hypothesis -a "trojan"- would simultaneously infect Mac OSX and Windows (which I don't use, remember) --and-- Outlook Express (theirs) and Thunderbird (mine) in the same time frame. I'd almost get better odds at winning the jackpot on Powerball. Second: If you're serious about investigating this, hit up the link I pecked in up there, then go to the Vulnerabilities section in it's main menubar. Have your scripting crew comb over that mofo with a fine-toothed comb and check against their work, starting from the time frame in question and working your way back. Meanwhile, YOU need to make sure you've got all your patches in. I don't care if you say you do - double check (yes, I do the same thing when I think there's something amiss as well). Have a second pair of eyes look over both the list of patches and the PHP scripts. I realize with Bondware jammed into the works that this won't be easy, but I strongly suggest that you do this anyway. Third: MySQL... is it patched and current in there? Did you leave anything out? (understandable if a patch or two might break functionality, but you need to work with the scriptmonkeys on that, and they need to make the fixes needed). Fourth: I recall someone (Clint I think?) saying something about Oracle. Umm, you know the drill by now. Same as above. If it's RAC, remember about the STONITH/heartbeat util, else you get to eat some downtime. Finally: Rendo handles CC#'s and idenity info. You don't want to know the legal penalties and potential pitfalls of that info leaking out. Instead of hanging out here in the fora mouthing on about users and trojans, you and your cohorts need to be burning some midnight oil in investigating and fixing this... before it does something decidedly nastier than generate a list of spam targets. I'll stop at the 2-ruble mark... /P