Security Basics mailing list archives

Re: auditing a systemused for spamming

From: Roger D Vargas <roger () ehtsc co cu>
Date: Thu, 13 Aug 2009 12:57:22 -0400

Chris Firth escribió:

    It was a Fedora 6, and the only way to access
    it was via ssh.

As I read on it seems as though it allowed HTTP too. Did it also allow
FTP? I have regularly seen

Sorry, I wasnt clear enough. ssh access was for administration tasks.
Yes, there was http and ftp, I think.

comprised FTP credentials which result in a "Dark Mailer" perl script
being uploaded and executed, and then deleted shortly after. If the
system does run a FTP server check the logs and see if anything has
been uploaded and deleted.

Are their any contact forms on the site? Is it possible that they have
been exploited?

I asked several times if there were contact forms, but the sites
maintainer didnt explicitly confirm it. What I know is that when I
disabled the php mail function (by changing sendmail_path in php.ini) he
got crazy and asked me to enable it again. That makes me think that
there were contact forms, but as i said, I cant match any line in http
logs with the mails time. Which means that the mail time was forged
also, or the script sending the mail wasnt called via http, just merely
had owner set to apache.



-- 
Roger D. Vargas
Using Gentoo Linux 2008.0, Ogre 1.6.2, fglrx
Powered by Celeron D 2.8 Ghz, 2Gb RAM, Radeon HD4770
Currently working on: Testing dotScene format
http://dsgp.blogspot.com


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

auditing a systemused for spamming Roger D Vargas (Aug 12)
- Re: auditing a systemused for spamming Serg B (Aug 13)
- Re: auditing a systemused for spamming Chris Firth (Aug 13)
  - Re: auditing a systemused for spamming Roger D Vargas (Aug 13)