Security Incidents mailing list archives
distributed spamming/scamming scheme?
From: lists <justinf () innocence-lost net>
Date: Fri, 6 Aug 2004 16:47:33 -0700 (MST)
hi et al, over the last week or two it has come to my attention at least 2 of our boxes were hacked- these boxes are shared servers for web hosting for the company i work for. It appears that weak passwords were the cause and several accounts were compromised. The attacker(s) get the passwords, upload some cgi's, run them, then delete them (my guess here is because ftp is chrooted they do this to run as the www user), they download .htaccess/.htpasswd files, and also upload: fake usbank login pages, they are done via meta tags that load the real page but use javascript to catch the login info. then email lists of people to spam with requests for them to login to their usbank account, fake link to usbank, you know the drill. the hosts come across lots of various domains, but not all of them seem to be interactive logins- or at least that is my guess. on this particular server they uploaded a file named bangbrosdat.exe , most of the logins just download the file and close their connection- a few others grab .htaccess/.htpasswd files, upload cgi's and actually do the deleteing of things. I believe the bangbrosdat.exe file has some relation to bangbus.com because in the logs ive seen other files named like bangbus.txt, on one server i found 4.4MB's of lists of email addresses that were zipped up- they were seperated into different directories all named like foo.com or whatever.net, etc- none of these sites we host, so it appears they steal user email address lists also. another interesting thing is these people never attempt to actually root the box, they are happy w/ ftp access and being able to execute cgi's. I've only found 1 cgi, it was named u.pl and it grabbed the system time, path then did a crypt with the results of both and printed out the system time, path and the length of the encryption- my guess here is for later cracking of the .htpasswd files. I still have yet to figure out how exactly they are sending the spam through our servers, there are a lot of vuln formmail program on the box, but the server logs dont reflect their usage (keep in mind root was not obtained and there are no signs to make one think that it was). Watching network traffic I don't see anything other than a lot of outbound smtp traffic and the normal stuff. I don't see any unusual processes, or cron jobs so my only guess is that its done through a custom cgi they upload and execute then delete. why i am writing this is because with as many hosts as they come from, i cannot be the only person who has encountered them, they also do ebay spam/scams and yahoo finances spam/scams, and because they've missed one cgi here and there, and they leave such an audit trail I'm looking for cgi's uploaded by them to other servers. has anyone encountered this? does anyone have anymore of their mo? etc. jnf
Current thread:
- distributed spamming/scamming scheme? lists (Aug 07)