Re: Still after the apache spammer, more info

From: Mungo (reallydontmail_at_me.com)
Date: 04/26/05 

Date: Tue, 26 Apr 2005 05:39:04 GMT

Ohmster <notareal@emailaddress.com> wrote in
news:Xns9643E40BDC60BMyBigKitty@216.77.188.18:

> 3 FQDNs, running apache with 3 virtual hosts for the domains. Running
> phpbb 2.0.6 (Can email and coppermine photo gallery 1.2.1 (Can email

Example of how they could have gotten in and where your box could be:
 
If you check www.securityfocus.com/bid vendor=phpbbgroup title=phpbb and
version=2.0.6 you see about 40 vulnerabilities. If all of the patches are
not in place, 2.0.6 is not only an older version, but also an insecure one.
Unpatched phpBB has been a very easy and popular target for the kiddies to
crack.

Now, if they achieved local privileges on an unpatched RH 9 box and were
halfway clever, they probably did a local crack and achieved root
privileges. If they got root privileged, kiss any credit card, bank account
or personal information on your PC away. They could have also installed one
of a number of effective keystroke loggers being passed around on IRC.

To the spam point. The spam coming out of your machine is being sent
through bellsouth's smtp servers (relay=mail.bellsouth.net). This is the
worst of spam cases, since all except the most draconian blocklists will
not block bellsouth's servers. As a result, the spammer achieves a 100%
delivery rate.

Now, most ISP's won't get too excited over complaints about a small amount
of spam from a trojanned box. However, if they get a lot of spam complaints
because the spammer is using your box to send spam from their smtp server,
chances are very, very high that your account will be quickly and
permanently pulled.

> I do use samba sometimes to work on web stuff because it is easy to open
> files with Dreamweaver when I have a samba share and can copy files back

Make sure the Windows box is clean. Unless you have kept the windows box
updated and have a good antivirus and spyware protection, it may also be
affected with malware or a trojan. If someone got into the Linux box then
they would have at least some access to the windows PC.

Finding the program sending spam in your PC is intellectually interesting,
but doing it while connected to the net is dangerous. Spamlists are usually
dynamically loaded, which means that the spammer has set up open access to
your system. That makes it much more difficult to find and fix.

If I were you I would (more or less in order):
            assume the worst has happened both to the PC and your private data
            remove the box from the net
            backup non-executable data on a CDROM
            buy a copy of RH Enterprise (or get the free Centos or Whitebox
versions)
            Buy a new hard disk, install the Linux system on it WITH THE WINDOWS
BOX DISCONNECTED. Save the old hard disk for forensic analysis later.
            set up iptables to allow only the services you need
            reconnect to the net
            update your new operating system with up2date before proceeding
further
            carefuly examine the windows box until you have removed any the
malware, viruses and trojans
            reconnect the windows box with limited (read permissions) samba
service
            use only scp to transfer files from the windows box to the linux box
in the future unless you keep the windows box religiously clean.

 
Here's an irrelevant side note:

On the subject of "new" hard disks, they often contain reclaimed parts from
RMAs. I won't mention which vendors do this, but there are at least two
well known manufacturers who recycle good parts from infant mortality
returns. In a corporate enviornment, always wipe new disks so the new user
does not have responsibility for illicit material (porn, etc) which they
did not put on their PC. Also a good idea for home users.

Relevant Pages

  • Re: Slow computer
    ... Email address deliberately false to avoid spam ... Clean up the programs running at start up. ... It contains advice ... > using Windows XP "prettifications". ...
    (microsoft.public.windowsxp.general)
  • Re: A good spam software?
    ... there's times when I think everyone's spam comes to me! ... Windows Update ... You should at least turn on the built in firewall. ... I see that AntiVirus software is an absolute necessity given ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Flamewar _ DO NOT READ
    ... Did you know that those idiots have added a captcha to the post form, ... much buggier and more problematic spam blocking ... Windows 3.0 anymore; there's a handful of copies of Windows 3.1 still ... None of the nasty things that you have said or implied about me are at ...
    (rec.games.roguelike.angband)
  • RE: XP Home getting slower & slower
    ... although that will lessen your popups on the Internet/while ... (search engine and popup stopper in one): ... disable your Windows Messenger service. ... SPAM EMAIL/JUNK MAIL ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: dpreview
    ... It is as bad as these shrill legions suggest, because users who don't know any better don't realize their Windows machines have been exploited and owned. ... If everyone on the planet switched OS' the spam would still spew forth. ...
    (rec.photo.digital.slr-systems)