[NCLUG] Apparently, I'm a Spammer - Now What?
Rich Young
rich at experienceplus.com
Wed Apr 25 20:40:42 MDT 2007
I believe I've found it - a forgotten installation of Coppermine Gallery
was apparently getting slammed on an arbitrary code execution
vulnerability detailed here:
http://securitytracker.com/alerts/2006/Feb/1015646.html
Web logs show a huge glut of calls to the vulnerable file over the last
couple days.
I deleted the entire gallery directory. (We don't need it, and I have
today's backup of it for forensic purposes.) I've also added a rule to
our firewall denying transmission to outbound email from this machine,
which I can do as its only intended mail traffic stays within our LAN.
I'm afraid I will have to reinstall the OS from scratch just to be safe,
since this was a code execution exploit. Does anyone see any
alternatives to that? I mean, the time it takes to reinstall is trivial
to the time it would take to ensure that there's no lasting effect of
the exploit, right?
--------------------------
I'm Rich Young, and I approved this message.
> -----Original Message-----
> From: nclug-bounces at nclug.org
> [mailto:nclug-bounces at nclug.org] On Behalf Of Stephen Warren
> Sent: Wednesday, April 25, 2007 4:16 PM
> To: Northern Colorado Linux Users Group
> Subject: Re: [NCLUG] Apparently, I'm a Spammer - Now What?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rich Young wrote:
> > I just noticed our web server running unusually slowly, and a little
> > digging turned up a huge load on sendmail. It didn't take
> long to find
> > record in the maillog of a lot of spammy activity, which apparently
> > began Monday morning.
>
> The first thing to check: Are you an open relay (i.e. was sendmail
> mis-configured), or was your box cracked? Perhaps the box runs a
> web-server with a vulnerable web-form-to-email comment CGI script?
>
> Secondly (perhaps first!): Shutdown, remove the HDD and keep
> it safe and
> read-only for later forensics, re-install everything from install CDs,
> install all updates, use postfix instead of sendmail...
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGL9MGhk3bo0lNTrURArvTAJ9fVzoLlDEMbFCYs7FIAUO8oYhtuQCgkRmF
> dyBVoTERHJ/2uEjB2L7gfzo=
> =EnV9
> -----END PGP SIGNATURE-----
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify
> your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
>
More information about the NCLUG
mailing list