[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Mail Bomb ... I'm stumped

"Ursula" <ursulasays@xxxxxxxxxxxx> wrote:
> We've had a couple of strange incidents on a 4i. They
> appear to be deliberate mail bombs, but appear to be
> generated by httpd rather than coming from the
> outside.

Based on what you've shared it doesn't appear to be a web-based script
hosted on your server.  Out of curiosity, were the emails you discovered
bounces or were they delivered to local users?  Also, for the benefit of
others, old versions of Matt Script's FormMail aren't the only form based
email scripts that are insecure, the program can be installed with any
filename and thanks to Apache's AddType directive it can have numerous/any
extensions.  Also, the "locate" command is case-sensitive.  Checking the
Apache logs for unusual numbers of occurences of the same file over a period
of a short period of time can lead you to a good candidate for a script that
may have been hijacked by a spammer or someone malicious.  But let's look at
what we know...

> Return-Path: <httpd>
> Received: (from httpd@localhost)

It was either sent by user httpd or a script running as httpd.  If someone
was logged into the shell as httpd they likely have root user privileges and
you have real problems.  It's more likely that the emails were generated by
a script running as user httpd.  And in order for the script to be executed,
it must have either had user, group or world executable permission.  That
probably goes without saying, but armed with that information it should be
easy to narrow down the candidates.  The program "find" is your friend.  If
we thought the offending script was in a site we could do:

find /home/sites/ \
\( -perm -0100 -o -perm -0010 -o -perm -0001 \) \
-type f -user httpd -exec ls -al {} \;

This would search the path /home/sites (parent directory of sites web file
and user web directories) for files with user, group or world executable
permissions respectively, which are files (as opposed to directories or
links), owned by user httpd and then execute the command "ls -al" on each
matching file, returning the permissions, ower, group, timestamp and full
path of each matching file.  We could then do further investigation.  If
it's a short list I'd typically start with files that sounded suspicous,
were recently created or put them on a dart board, throw a dart and look at
the code for the one I hit.

But I actually suspect that the file is in /home/tmp/ so I'd also run the
script to check that path.  Or check the entire server by doing this:

find / \
\( -perm -0100 -o -perm -0010 -o -perm -0001 \) \
-type f -user httpd -exec ls -al {} \;

Why do I suspect /home/tmp/?  I suspect it because I've seen several
rootkits and IIRC at least one insecure PHP application which either
installed scripts in that directory running as httpd or allowed such scripts
to be uploaded there.  In two or three cases I've seen fairly sophisticated
scripts which emailed an extensive list of recipients (adult content spam)
both pulled from a file uploaded to the server and recipients pulled from
another server by a separate script which made a socket connection to
another server.

Now,

> Subject: Eat My Shit

and

> How are you twit?

seems a little more malicious and likely less sophisticated, but I wouldn't
rule out something like what I've encountered before.  Ursula, please keep
in mind that my theory isn't the only plausible theory, but I hope my
experience with this sort of thing helps you in your investigation and any
others who may run into something similar.  And I'd definitely install/run
chkrootkit, though that's not the be all end all of security.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/