Security Basics mailing list archives
Re: auditing a systemused for spamming
From: Roger D Vargas <roger () ehtsc co cu>
Date: Thu, 13 Aug 2009 12:57:22 -0400
Chris Firth escribió:
It was a Fedora 6, and the only way to access it was via ssh. As I read on it seems as though it allowed HTTP too. Did it also allow FTP? I have regularly seen
Sorry, I wasnt clear enough. ssh access was for administration tasks. Yes, there was http and ftp, I think.
comprised FTP credentials which result in a "Dark Mailer" perl script being uploaded and executed, and then deleted shortly after. If the system does run a FTP server check the logs and see if anything has been uploaded and deleted. Are their any contact forms on the site? Is it possible that they have been exploited?
I asked several times if there were contact forms, but the sites maintainer didnt explicitly confirm it. What I know is that when I disabled the php mail function (by changing sendmail_path in php.ini) he got crazy and asked me to enable it again. That makes me think that there were contact forms, but as i said, I cant match any line in http logs with the mails time. Which means that the mail time was forged also, or the script sending the mail wasnt called via http, just merely had owner set to apache. -- Roger D. Vargas Using Gentoo Linux 2008.0, Ogre 1.6.2, fglrx Powered by Celeron D 2.8 Ghz, 2Gb RAM, Radeon HD4770 Currently working on: Testing dotScene format http://dsgp.blogspot.com ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- auditing a systemused for spamming Roger D Vargas (Aug 12)
- Re: auditing a systemused for spamming Serg B (Aug 13)
- Re: auditing a systemused for spamming Chris Firth (Aug 13)
- Re: auditing a systemused for spamming Roger D Vargas (Aug 13)