Re: sendmail compromised - Somebody help me!

• Previous message: Robert Glueck: "Re: Firewall hits passing through a NAT router - How does that work?"
• In reply to: Bev A. Kupf: "Re: sendmail compromised - Somebody help me!"
• Next in thread: Newsbox: "Re: sendmail compromised - Somebody help me!"
• Reply: Newsbox: "Re: sendmail compromised - Somebody help me!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 27 Apr 2005 01:41:23 GMT

"Bev A. Kupf" <bevakupf@myhome.net> wrote in
news:slrnd6tn8p.i7a.bevakupf@myhome.net:

> On Tue, 26 Apr 2005 23:45:16 GMT,
> Ohmster (notareal@emailaddress.com) wrote:
>
> There are two ways for you to take advice from professionals in the
> field. The first is to consider that the opinion offered _may_ just
> be a well considered opinion, especially if it comes from more than
> one source.

I got quite a bit of good advice. Searching through the apache logs for
files that can email and are being used more often than should be. I got
a great tip from Jem to use lsof to snap a list of open files when the
incident occurs. Got advice about tripwire and it is installed, but I am
not sure if that would be of much help now. The barn door and all. Mike
sent me a detailed pdf file, analysis of the security, some of it pretty
scary, some quite minor. I appreciate and an working on "the list". Got
tips about phpbb2 from Michael from bugtraq. All really good advice, all
helpful, either now or for future consideration. There were a few that
insisted that the box come offline, without any reasonable expectation of
getting it back online again. That really was not helpful. I use this
server every day for work and cannot simply take it down like that.

> The second is to throw a hissy-fit. The facts are that _your_
> incompetence led to _your_ box possibly being compromised. As a
> sysadmin, its _your_ job to keep your box current with whatever
> patches are offered for your system.

Hissy fit? Ma'am, I made it clear that I could not take the box offline
for an extended period, but could do things now like shutdown sendmail,
as that seems to be a threat to others and myself. I will listen to any
other reasonable suggestions that do not bring down the servers, even
removing the formmail pages. How many times must one stress the same
point, about taking down the servers, only to have it ignored and to
request that the box be taken offline indefinitely and immediately? I was
frustrated, that is all. The "hissy fit" was directed at no one in
particular and I made it very clear that it was not directed at you, Bev,
unless you misunderstood "Not helpful, not appreciated, not wanted, save
your breath." to be a personal attack. It was not. I meant "save your
breath for something important like breathing" other than to repeat the
same advice that I cannot take in it's entirety and had already made
quite clear, several times.

> Let's say that your box is used to launch attacks on several other
> boxes. Is it right that someone else has to spend their time
> (minimally) redesigning a firewall, because _you_ were incompetent?

Of course not, that is why I shutdown sendmail and stopped it from
starting at boot time. The "attacks" of spam are a result of some
security issue with a formmail exploit of apache. I cannot shut down
apache or take the box down for days, weeks, or longer, but I can stop
sendmail and the spam will cease because of it, until I can find the real
root of the formmail exploits. I even ran a chkrootkit to be sure as was
suggested from the professionals. ...again with the "incompetent" word?

> And btw, I've cut most of your rant out, but no one has suggested
> that you throw the box out. Now a sensible sysadmin would have
> a backup of all the data. And it would take less than a day to
> reload a _secure_ operating system, and then restore the data from
> backup (we are after all talking about a single box here). But
> everything that you've displayed of yourself here indicates that
> sense is something that doesn't come easily for you. So, off
> course you don't have any backups.

Uh, yeah, I have the data backed up on the original hard disks. The /home
disk and the /, swap, and /boot partitions are on a second disk, this was
just done recently and the data is there. The data is not so "mission
critical" that I need daily backups of it. It took me a long time to get
this system running like it is, I could not install and configure
everything for a new system in a day. There is firewall and NAT, there
are a few mysql databases, there is the web server and virtual hosts,
there is samba and shares, there are personal and custom tweaks. I could
install a new distro and get it running in a day though, but I would have
to re-install and re-configure everything to work as it did for a new
distro and that could not be done in a day, at least by me, I am not a
professional at this, but I do enjoy it. It is difficult to be
"incompetent" when one claims no excellence in the first place. Yes, I
have the backup that I need.

> You came here for advice. Whether you take what is offered to you
> or not is your choice. Too bad you don't like tough medicine if
> that's what is called for.

Tough medicine? Look, I came here to root out an apache formmail exploit,
you were the one that actually directed me here. I got good medicine.
That kind of "tough medicine" might be called for in your book, had I
discovered a serious security flaw in the ckrootkit, I would have taken
the box down. I won't run a compromised box where I know that root access
has been compromised, that would be just plain foolish. There is no
indication of that level of compromise. Just a non-privileged daemon
mailing out spam from a formmail exploit. Yeah it bites the big one and
all but it can be contained until something can be done to make it more
secure.
 
> You've been given other advice. Find out which scripts are being
> accessed repeatedly from Apache's access_log. Did you do that?

Sure, searching through the logs for files accessible to apache that can
email was good advice. But there is over a hundred megs of text logs.
That is a lot of searching. I tried but got bleary eyed trying. Dave
showed me how to use regex in grep to help with the searching. Maybe I am
not searching properly but I am working on refining the search. It will
take a while though. Sendmail is shut down in the meantime.

> Heck, no. Put plainly, you're _incompetent_. And stupidity is
> its own reward.

Again with that word. If I came here claiming to be a professional
sysadmin, then you could probably say "incompetent" and you would be
right. I never said that. I am a casual linux user and I learn more as
time passes. I setup and use the servers on my linux machine and I need
them. I am very sad that there is a formmail exploit on my system because
I really do need the servers. I never insulted you personally, Bev, and
took the time to say this in my "hissy fit". I did not come here to
exchange insults, I just wanted some tips or pointers in the right
direction. I got some, by some very well meaning, professional
individuals. The problem is not solved yet but I have things to work on
now. I do believe that you were the one to point out that this is a
formmail exploit in the first place. What is the point in swapping
insults? I am sure you are competent enough to do your job and I
appreciate your time.

> Beverly

-- 
~Ohmster
ohmster at newsguy dot com

• Previous message: Robert Glueck: "Re: Firewall hits passing through a NAT router - How does that work?"
• In reply to: Bev A. Kupf: "Re: sendmail compromised - Somebody help me!"
• Next in thread: Newsbox: "Re: sendmail compromised - Somebody help me!"
• Reply: Newsbox: "Re: sendmail compromised - Somebody help me!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]