[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Mail Bomb ... I'm stumped

Subject: Re: [cobalt-users] Mail Bomb ... I'm stumped
From: Ursula <ursulasays@xxxxxxxxxxxx>
Date: Fri Nov 22 01:33:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

 --- Steve Werby <steve-lists@xxxxxxxxxxxx> wrote: >
"Ursula" <ursulasays@xxxxxxxxxxxx> wrote:
> > We've had a couple of strange incidents on a 4i.
> They
> > appear to be deliberate mail bombs, but appear to
> be
> > generated by httpd rather than coming from the
> > outside.
> 
> Based on what you've shared it doesn't appear to be
> a web-based script
> hosted on your server.  Out of curiosity, were the
> emails you discovered
> bounces or were they delivered to local users?

They weren't bounces, all were delivered to
httpd@localhost. They all had reply-tos @hotmail (real
accounts with storage exceeded bounces, or fake
accounts, doubling the problem). 

> Also, for the benefit of
> others, old versions of Matt Script's FormMail
> aren't the only form based
> email scripts that are insecure, the program can be
> installed with any
> filename and thanks to Apache's AddType directive it
> can have numerous/any
> extensions.  Also, the "locate" command is
> case-sensitive.  Checking the
> Apache logs for unusual numbers of occurences of the
> same file over a period
> of a short period of time can lead you to a good
> candidate for a script that
> may have been hijacked by a spammer or someone
> malicious.  But let's look at
> what we know...
> 
> > Return-Path: <httpd>
> > Received: (from httpd@localhost)
> 
> It was either sent by user httpd or a script running
> as httpd.  If someone
> was logged into the shell as httpd they likely have
> root user privileges and
> you have real problems.  

The only vaguely suspicious output from chkrootkit was
this:
Searching for suspicious files and dirs, it may take a
while...
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/mod_perl/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/MD5/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Quota/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/XML/Parser/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Devel/Symdump/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/DBI/.packlist
/usr/lib/perl5/site_perl/5.005/i386-linux/auto/Msql-Mysql-modules/.packlist
/usr/lib/perl5/5.00503/i386-linux/.packlist

I believe the .packlist files being found are false
positives, So I'm reasonably sure the server is safe.
There have been a few instances of this bombing, of
various intensities, over the past couple of weeks -
It seems odd that someone with root access would draw
attention to their entry in such a manner (though I
suppose nothing would surprise me about how such
people get their jollies)

It's more likely that the
> emails were generated by
> a script running as user httpd.  And in order for
> the script to be executed,
> it must have either had user, group or world
> executable permission.  That
> probably goes without saying, but armed with that
> information it should be
> easy to narrow down the candidates.  The program
> "find" is your friend.  If
> we thought the offending script was in a site we
> could do:
> 
> find /home/sites/ \
> \( -perm -0100 -o -perm -0010 -o -perm -0001 \) \
> -type f -user httpd -exec ls -al {} \;
> 

This did show up something curious, all the stats
files and folders generated by webalizer. Nothing
unfamiliar stood out though. There are 160-odd sites
on here though, rather tricky to search the content of
each individual file.

The other httpd suspects are php and Frontpage, with
so many files involved I'm not sure what way to check
them all for something that may be the culprit -
particularly as the access/error logs revealed nothing
at all out of the ordinary correlating with the time
the first email came through.

> 
> But I actually suspect that the file is in
> /home/tmp/ so I'd also run the
> script to check that path.  Or check the entire
> server by doing this:
> 
> find / \
> \( -perm -0100 -o -perm -0010 -o -perm -0001 \) \
> -type f -user httpd -exec ls -al {} \;
> 
> Why do I suspect /home/tmp/?  
Nothing at all out of the ordinary in /home/tmp/

> 
> Now,
> 
> > Subject: Eat My Shit
> 
> and
> 
> > How are you twit?
> 
> seems a little more malicious and likely less
> sophisticated, but I wouldn't
> rule out something like what I've encountered
> before.  Ursula, please keep
> in mind that my theory isn't the only plausible
> theory, but I hope my
> experience with this sort of thing helps you in your
> investigation and any
> others who may run into something similar.  And I'd
> definitely install/run
> chkrootkit, though that's not the be all end all of
> security.

All of the variations of the email have been in a
similarly childish vain - "Bite me", "I'm the
greatest", and other similar drivel. 
Thanks for your helpful reply. My main suspects are
still a disguised php file, or maybe a Frontpage
exploit, but digging up the culprit is proving to be
an enormous headahce.

=====

--

Ursula

http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint Dropper
- Avoid getting hideous gifts this Christmas with Yahoo! Hint Dropper!

Follow-Ups:
- Re: [cobalt-users] Mail Bomb ... I'm stumped
  - From: Andy Brown
- [cobalt-users] cgiwrap problem running cgi script
  - From: Tom Cameron
- Re: [cobalt-users] Mail Bomb ... I'm stumped
  - From: Steve Werby

References:
- Re: [cobalt-users] Mail Bomb ... I'm stumped
  - From: Steve Werby

Prev by Date: Re: [cobalt-users] Mail Bomb ... I'm stumped
Next by Date: [cobalt-users] installing curl with ssl
Previous by thread: Re: [cobalt-users] Mail Bomb ... I'm stumped
Next by thread: Re: [cobalt-users] Mail Bomb ... I'm stumped

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index