[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Mail Bomb ... I'm stumped

Subject: Re: [cobalt-users] Mail Bomb ... I'm stumped
From: Ursula <ursulasays@xxxxxxxxxxxx>
Date: Sat Nov 23 15:45:00 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

 --- Steve Werby <steve-lists@xxxxxxxxxxxx> wrote: >
"Ursula" <ursulasays@xxxxxxxxxxxx> wrote:
> > They weren't bounces, all were delivered to
> > httpd@localhost. They all had reply-tos @hotmail
> (real
> > accounts with storage exceeded bounces, or fake
> > accounts, doubling the problem).
> 
> Now I'm confused.  Do you really mean the To header,
> not the Reply-To
> header?  Otherwise there should be no bounce message
> problem on your end.

I meant they were received from httpd@localhost. The
To and reply-to are the hotmail account. This is the
entire message, headers and all

==start
Return-Path: <httpd>
Received: (from httpd@localhost)
        by my.server.name (8.10.2/8.10.2) id
gAK8Dvl11788;
        Wed, 20 Nov 2002 19:13:57 +1100
Date: Wed, 20 Nov 2002 19:13:57 +1100
Message-Id: <200211200813.gAK8Dvl11788@xxxxxxxxxxxxxx>
To: twit_with_horns@xxxxxxxxxxx
Subject: Eat My Shit
From: eat_this@xxxxxxxxxxxxxxxxxxxx
Reply-To: eat_this@xxxxxxxxxxxxxxxxxxxx

How are you twit?
==end

The headers do suggest php is generating the email.

So far we know this:

1. grep found no .htaccess files with the AddType
directive, the access logs show nothing executable at
the time 
2. No hidden files were found when searching the whole
server as you suggested
3. No executable files with user httpd were found
outside of /home/sites/sitex/web
4. chkrootkit finds nothing

This does still leave open some possibilities, a
script of some sort with a time delay - it may even
remove itself when complete, or be removed by whoever
put it there when they're done with it. The most
vulnerable part of the server is the websites, so a
poorly configured or insecure php application is still
the most likely suspect. That doesn't completely rule
out a more sophisticated hack, but the odds of that
are much smaller.

I'm still looking for a cause. If I ever get to the
bottom of it I'll post the outcome.

=====

--

Ursula

http://www.yahoo.promo.com.au/hint/ - Yahoo! Hint Dropper
- Avoid getting hideous gifts this Christmas with Yahoo! Hint Dropper!

References:
- Re: [cobalt-users] Mail Bomb ... I'm stumped
  - From: Steve Werby

Prev by Date: Re: [cobalt-users] self issued SSL certs for admin access to a RAQ
Next by Date: [cobalt-users] Perl 5.6.1 Upgrade for RaQ 4i
Previous by thread: Re: [cobalt-users] Mail Bomb ... I'm stumped
Next by thread: [cobalt-users] installing curl with ssl

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index