Is someone spamming through me?

Rob Morin rob at thehostmasters.com
Thu Apr 27 19:34:44 IST 2006


There ya go... lots of bad scripts name their files and folders with "." 
in them, thats probably the guy... whats in the file?

Rob Morin
Dido InterNet Inc.
Montreal, Canada
Http://www.dido.ca
514-990-4444



Jody Cleveland wrote:
> Hello,
>
> Thanks for all the great advice! I finished everything up to installing
> modsecurity. I went into webmin to add chkrootkit to cron, and noticed
> this:
>
> apache 	 	Yes 	/tmp/ctemp/.dat/.kin/up2you >/dev/null 2>&1
>
> I'm guessing that's the culprit? 
>
> - jody
>
>   
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info 
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
>> Of Rob Morin
>> Sent: Thursday, April 27, 2006 9:28 AM
>> To: MailScanner discussion
>> Subject: Re: Is someone spamming through me?
>>
>> Some quick things you should check for.... it is possible for a bad 
>> person to exploit that script and then install files on your server. 
>> These files would be in /var/tmp or /tmp
>>
>> These files would send out mass emails... the email lists would be 
>> updated by the user as one of those cripts uses wget to retreive new 
>> spam lists and run those....
>> A very popular spammer is a guy that send emails as or to  
>> "cartoes at ocarteiro.com.br"
>>
>> 1st thing to do is....
>>
>> Is look for files with similar names as below in /tmp /var/tmp or 
>> whatever else you use as a tmp dir
>>
>> These files night also be in users home dir.......
>> These files will spam people pretending to be PayPal, and also just 
>> plain old spamming for some website too...
>>
>> drwxr-xr-x   5 root     root       4096 Mar  2 16:43 .
>> drwxr-xr-x  43 root     root       8192 Apr 10 09:10 ..
>> -rw-r--r--   1 root     root      29798 Mar  2 15:44 PAYpalHacks
>> -rw-r--r--   1 root     root     193643 Mar  1 11:00 
>> Paypal-cgi-updates-HACK-SUPERCHUTEtar.gz
>> -rw-r--r--   1 root     root      18978 Mar  1 11:01 
>> mailer-Superchute-Hack.tar.gz
>> drwxr-xr-x   6 www-data www-data   4096 Feb 27 15:19 
>> redirect.paypal.com
>> -rw-r--r--   1 vu2177   vu2177   121197 Feb 27 14:14 
>> redirect.paypal.zip
>> -rw-r--r--   1 vu2177   vu2177    16250 Mar  2 15:54 shell.php
>>
>> And try to find any files that do not belong in those temp dirs....
>>
>> 2nd thing to do is simple , yet effective against any scripts 
>> that try 
>> to retrieve files from the outside...
>>
>> find the following files and do this....
>> chmod 700 each file
>>
>> Some of these files might not be where they are on my Debian 
>> system, by 
>> they should be there and chmoding them 700 will prevent anyone except 
>> root to use them. Its important that you do this....
>>
>>  /usr/bin/lynx.stable
>>
>>  /usr/bin/netkit-ftp
>>
>>  /usr/bin/telnet.netkit
>>
>>  /usr/bin/ssh
>>
>>  /usr/bin/wget
>>
>> Also go and get CHKrootKit at http://www.chkrootkit.org/
>>
>> after installing it put it in a cronjob to run each hour..... 
>> make sure 
>> you rename the file to something like blabla or the hacker 
>> might find it 
>> and disable it if he gets on before its run...
>>
>> The above should keep you busy for a while....
>>
>> Also please install modsecurity!
>>
>> Have a great day!
>>
>> Rob Morin
>> Dido InterNet Inc.
>> Montreal, Canada
>> Http://www.dido.ca
>> 514-990-4444
>>     



More information about the MailScanner mailing list