[TriLUG] system inexcplicity sending spam (Problem Found)

Blackburn, Marvin mblackburn at glenraven.com
Tue Dec 4 14:55:22 EST 2007


This was found to be an insertion attack via php.  The developer is fixing
the problem and we are upgrading php/apache etc to deal with it.
Thanks for the help.

-----Original Message-----
From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On Behalf
Of Neil L. Little
Sent: Sunday, December 02, 2007 6:49 PM
To: Triangle Linux Users Group General Discussion
Subject: Re: [TriLUG] system inexcplicity sending spam

In my case it was on fedora4 with sendmail and a Perl vulnerability that 
allowed  a script
kitty to use wget to cause a buffer overrun and execute a script. They 
were then able to
reconfigure sendmail to set up relay. Using the apache logs and syslog 
and a few
other things I was able to find I had been zombied. I didnt know about 
intrusion
detection then so never did find where it was all coming from.

73,
Neil Little, WA4AZL
JARS Forever!!

Blackburn, Marvin wrote:
> This sounds all very familar.   Thank you 
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On
Behalf
> Of Steve Hoffman
> Sent: Sunday, December 02, 2007 2:44 PM
> To: Triangle Linux Users Group General Discussion
> Subject: Re: [TriLUG] system inexcplicity sending spam
>
> I ran a server that hosted a website with a "contact us" form.  The issue
> turned out to be header injection of the form in once case...the
developers
> fixed that and later I found that someone had taken the source of the page
> created a local copy and simply posted their spam message with injections
> directly to our server...I put a php page that intercepted all messages
and
> filtered out any that weren't legit (i.e. no bcc fields allowed, no CC
> fields allowed, only one recipient that was in a predefined list etc.
>
> was a bit tricky to track it all down, but ultimately the apache logs shed
> alot of light on it (POST's from the IP where the spam was originating)
and
> it was all confirmed with a wireshark trace as to exactly what was
> happening.
>
> HTH
> Steve
>
> On Dec 2, 2007 2:17 PM, Blackburn, Marvin <mblackburn at glenraven.com>
wrote:
>
>   
>> We have a server that does not allow incoming smtp traffic into it from
>> the
>> outside.  We have a sendmail running on a RHEL 3 update 7 with the latest
>> sendmail available through redhat.
>> In addition, sendmail is configured only to accept email from the local
>> host: 127.0.0.1.  Late friday, the system started sending spam via
>> sendmail.
>> The only connections from outside that are allowed are through http and
>> https (ports 80 and 443).  We cannot determine what is generating the
>> email.
>> We can see it being sent, but cant determine the process thats
>> responsiblle.
>>
>> Any help would be appreciated in finding what might be causing it.  This
>> server is a webserver.
>>
>>
>>
>> _____________________________________
>> "He's no failure. He's not dead yet."
>> William Lloyd George
>>
>>
>>
>>
>>
>> --
>> TriLUG mailing list        :
http://www.trilug.org/mailman/listinfo/trilug
>> TriLUG Organizational FAQ  : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>>
>>     
-- 
TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ  : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3921 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20071204/94605d48/attachment.bin>


More information about the TriLUG mailing list