Security Basics mailing list archives
auditing a systemused for spamming
From: Roger D Vargas <roger () ehtsc co cu>
Date: Tue, 11 Aug 2009 19:10:48 -0400
A couple of weeks agoI received the task of auditing a system that was being used to send spam. It was a Fedora 6, and the only way to access it was via ssh. After a quck revision I found that it was using qmail as MTA and it was properly configured to avoid relay. According to a mail from tech support, the process invoking the sendmail to send spam was apache and several files with attributes set to 777 were found in the web directories. They also ran anti-rootkit tests that gave negative results. The system worked mostly as web server, hosting several sites made with Joomla. I checked carefully http logs, but I couldnt found any suspicious activiy matching the time of the spam mails. i also got a list of all apache owned files in web directories, and later noticed that I should had extended the search to all system as the script used for spam could be hidden in /tmp or something, but after a couple of days I was getting tired of the job of fixing a poorly secured system and auditing a second one for just 50 dollars and I quit. After this long story, my point is: I still dont know if i missed some step to find the breach or if there was a better method to detect and disable the mailing script. Can somebody give me an idea about how to deal with such cases? -- Roger D. Vargas Using Gentoo Linux 2008.0, Ogre 1.6.2, fglrx Powered by Celeron D 2.8 Ghz, 2Gb RAM, Radeon HD4770 Currently working on: Testing dotScene format http://dsgp.blogspot.com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- auditing a systemused for spamming Roger D Vargas (Aug 12)
- Re: auditing a systemused for spamming Serg B (Aug 13)
- Re: auditing a systemused for spamming Chris Firth (Aug 13)
- Re: auditing a systemused for spamming Roger D Vargas (Aug 13)