Is someone spamming through me?

Jody Cleveland Cleveland at winnefox.org
Thu Apr 27 19:19:59 IST 2006 

Hello,

Thanks for all the great advice! I finished everything up to installing
modsecurity. I went into webmin to add chkrootkit to cron, and noticed
this:

apache 	 	Yes 	/tmp/ctemp/.dat/.kin/up2you >/dev/null 2>&1

I'm guessing that's the culprit? 

- jody

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Rob Morin
> Sent: Thursday, April 27, 2006 9:28 AM
> To: MailScanner discussion
> Subject: Re: Is someone spamming through me?
> 
> Some quick things you should check for.... it is possible for a bad 
> person to exploit that script and then install files on your server. 
> These files would be in /var/tmp or /tmp
> 
> These files would send out mass emails... the email lists would be 
> updated by the user as one of those cripts uses wget to retreive new 
> spam lists and run those....
> A very popular spammer is a guy that send emails as or to  
> "cartoes at ocarteiro.com.br"
> 
> 1st thing to do is....
> 
> Is look for files with similar names as below in /tmp /var/tmp or 
> whatever else you use as a tmp dir
> 
> These files night also be in users home dir.......
> These files will spam people pretending to be PayPal, and also just 
> plain old spamming for some website too...
> 
> drwxr-xr-x   5 root     root       4096 Mar  2 16:43 .
> drwxr-xr-x  43 root     root       8192 Apr 10 09:10 ..
> -rw-r--r--   1 root     root      29798 Mar  2 15:44 PAYpalHacks
> -rw-r--r--   1 root     root     193643 Mar  1 11:00 
> Paypal-cgi-updates-HACK-SUPERCHUTEtar.gz
> -rw-r--r--   1 root     root      18978 Mar  1 11:01 
> mailer-Superchute-Hack.tar.gz
> drwxr-xr-x   6 www-data www-data   4096 Feb 27 15:19 
> redirect.paypal.com
> -rw-r--r--   1 vu2177   vu2177   121197 Feb 27 14:14 
> redirect.paypal.zip
> -rw-r--r--   1 vu2177   vu2177    16250 Mar  2 15:54 shell.php
> 
> And try to find any files that do not belong in those temp dirs....
> 
> 2nd thing to do is simple , yet effective against any scripts 
> that try 
> to retrieve files from the outside...
> 
> find the following files and do this....
> chmod 700 each file
> 
> Some of these files might not be where they are on my Debian 
> system, by 
> they should be there and chmoding them 700 will prevent anyone except 
> root to use them. Its important that you do this....
> 
>  /usr/bin/lynx.stable
> 
>  /usr/bin/netkit-ftp
> 
>  /usr/bin/telnet.netkit
> 
>  /usr/bin/ssh
> 
>  /usr/bin/wget
> 
> Also go and get CHKrootKit at http://www.chkrootkit.org/
> 
> after installing it put it in a cronjob to run each hour..... 
> make sure 
> you rename the file to something like blabla or the hacker 
> might find it 
> and disable it if he gets on before its run...
> 
> The above should keep you busy for a while....
> 
> Also please install modsecurity!
> 
> Have a great day!
> 
> Rob Morin
> Dido InterNet Inc.
> Montreal, Canada
> Http://www.dido.ca
> 514-990-4444

More information about the MailScanner mailing list