Is someone spamming through me?

Rob Morin rob at thehostmasters.com
Thu Apr 27 15:27:51 IST 2006 

Some quick things you should check for.... it is possible for a bad 
person to exploit that script and then install files on your server. 
These files would be in /var/tmp or /tmp

These files would send out mass emails... the email lists would be 
updated by the user as one of those cripts uses wget to retreive new 
spam lists and run those....
A very popular spammer is a guy that send emails as or to  
"cartoes at ocarteiro.com.br"

1st thing to do is....

Is look for files with similar names as below in /tmp /var/tmp or 
whatever else you use as a tmp dir

These files night also be in users home dir.......
These files will spam people pretending to be PayPal, and also just 
plain old spamming for some website too...

drwxr-xr-x   5 root     root       4096 Mar  2 16:43 .
drwxr-xr-x  43 root     root       8192 Apr 10 09:10 ..
-rw-r--r--   1 root     root      29798 Mar  2 15:44 PAYpalHacks
-rw-r--r--   1 root     root     193643 Mar  1 11:00 
Paypal-cgi-updates-HACK-SUPERCHUTEtar.gz
-rw-r--r--   1 root     root      18978 Mar  1 11:01 
mailer-Superchute-Hack.tar.gz
drwxr-xr-x   6 www-data www-data   4096 Feb 27 15:19 redirect.paypal.com
-rw-r--r--   1 vu2177   vu2177   121197 Feb 27 14:14 redirect.paypal.zip
-rw-r--r--   1 vu2177   vu2177    16250 Mar  2 15:54 shell.php

And try to find any files that do not belong in those temp dirs....

2nd thing to do is simple , yet effective against any scripts that try 
to retrieve files from the outside...

find the following files and do this....
chmod 700 each file

Some of these files might not be where they are on my Debian system, by 
they should be there and chmoding them 700 will prevent anyone except 
root to use them. Its important that you do this....

 /usr/bin/lynx.stable

 /usr/bin/netkit-ftp

 /usr/bin/telnet.netkit

 /usr/bin/ssh

 /usr/bin/wget

Also go and get CHKrootKit at http://www.chkrootkit.org/

after installing it put it in a cronjob to run each hour..... make sure 
you rename the file to something like blabla or the hacker might find it 
and disable it if he gets on before its run...

The above should keep you busy for a while....

Also please install modsecurity!

Have a great day!

Rob Morin
Dido InterNet Inc.
Montreal, Canada
Http://www.dido.ca
514-990-4444



Jody Cleveland wrote:
>> You aren't using one of the versions of formmail.php are you? 
>> This had a bunch of holes in it at one time, and as I recall, the cgi 
>> version was recommended as a replacement (or vice-versa).
>>
>> If you are, there is supposed to be a PHP script that is 
>> better, although I haven't used it yet at
>>
>> http://www.leveltendesign.com/L10Apps/Fm/index.php
>>     
>
> Aha! I am using an older version of that script from 1999. not sure if
> that's the culprit or not, but I'll definitely update that.
>
> Thanks for the tip!
>
> - jody
>

More information about the MailScanner mailing list