[Smaug] Need a security dude.
Rick Moen
rick at linuxmafia.com
Mon Dec 26 12:48:45 PST 2005
Quoting Thomas Leavitt (thomas at thomasleavitt.org):
> Some bleeping Brazilian spammer is using the DataChaos backdoor script
> (dc.pl.htm) to get into my server and spam other Brazilians. I can't
> find enough information on the web to reverse engineer what he's doing,
> and there's nothing in the logs to backtrace it either... I don't have
> the security chops to figure it out on my own. I'm pretty sure he's
> exploiting some php whole, as the messages appear to be generated via
> apache and send as local mail...
>
> Is there a way to "lock down" all locally generated mail, and put it
> through some kind of approval filter? (as an interm step) ... only
> programs generate this kind of email at this point, there are no shell
> accounts on the server.
>
> I'd be willing to pay to have someone figure out how this bastard is
> getting in, and how to stop him.
Thomas --
First thing for you to do, I think, is determine whether the bad guy has
escalated to root authority, or whether he merely has misappropriated
httpd authority. The latter is very common, especially if you have been
in the habit of installing AWstats or various developed PHP
applications.
What PHP apps do you have installed, by the way? What distribution is
this? What version? Do you have a host IDS or other means of checking
system integrity?
Further, you might be aware that many (most?) distributions install PHP
in development mode. That is, php.ini is in that mode far too dangerous
for public deployment, and should be locked down. More at: "PHP" on
http://linuxmafia.com/kb/Security/
More information about the Smaug
mailing list