Re: auditing a systemused for spamming

[Chris Firth <lists () 100mb com au>]

        It was a Fedora 6, and the only way to access
        it was via ssh.

As I read on it seems as though it allowed HTTP too. Did it also allow  
FTP? I have regularly seen comprised FTP credentials which result in a  
"Dark Mailer" perl script being uploaded and executed, and then  
deleted shortly after. If the system does run a FTP server check the  
logs and see if anything has been uploaded and deleted.

Are their any contact forms on the site? Is it possible that they have  
been exploited?

Thats a couple of things I can think of off the top of my head.



On 12/08/2009, at 7:10 AM, Roger D Vargas wrote:

> A couple of weeks agoI received the task of auditing a system that was
> being used to send spam. It was a Fedora 6, and the only way to access
> it was via ssh. After a quck revision I found that it was using  
> qmail as
> MTA and it was properly configured to avoid relay. According to a mail
> from tech support, the process invoking the sendmail to send spam was
> apache and several files with attributes set to 777 were found in the
> web directories. They also ran anti-rootkit tests that gave negative
> results.
> The system worked mostly as web server, hosting several sites made  
> with
> Joomla. I checked carefully http logs, but I couldnt found any
> suspicious activiy matching the time of the spam mails. i also got a
> list of all apache owned files in web directories, and later noticed
> that I should had extended the search to all system as the script used
> for spam could be hidden in /tmp or something, but after a couple of
> days I was getting tired of the job of fixing a poorly secured system
> and auditing a second one for just 50 dollars and I quit.
> After this long story, my point is: I still dont know if i missed some
> step to find the breach or if there was a better method to detect and
> disable the mailing script. Can somebody give me an idea about how to
> deal with such cases?
>
> --
> Roger D. Vargas
> Using Gentoo Linux 2008.0, Ogre 1.6.2, fglrx
> Powered by Celeron D 2.8 Ghz, 2Gb RAM, Radeon HD4770
> Currently working on: Testing dotScene format
> http://dsgp.blogspot.com
>
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs  
> an SSL certificate.  We look at how SSL works, how it benefits your  
> company and how your customers can tell if a site is secure. You  
> will find out how to test, purchase, install and use a thawte  
> Digital Certificate on your Apache web server. Throughout, best  
> practices for set-up are highlighted to help you ensure efficient  
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------