Re: sendmail compromised - Somebody help me!

Job Eisses <jei@jei.homelinux.net> wrote in
news:4270229A.42C8FC7D@jei.homelinux.net:

> Did you try to look for formmail perl scripts in your cgi-bin directory
> ?
> What version is used ?
> -job

I have more than 1 cgi-bin directory. 1 in the web root, only awstats v 6.1
in there, probably could use updating, in there. An event calandar in
another with a link to email the webmaster (Does not email), a "search this
site" .pl file (Does not email). I do have openbook guestbook in another
direcory, v 1.2.2 (Can email), phpbb 2.0.6 (Can mail) and this version is
out of date, there are bugs reported for it. Patching it up is difficult.
Also use Coppermine Photo Gallery v 1.2.1 (Can mail).

I think that this would be difficult to track down, Job. It is probably
phpbb2 or Coppermine. Most likely not worth the effort, what with redhat 9
being so far out of date now. I think that I will just get a new distro
(Downloading FC3 with wget as we speak.) and then install new. Get a
running distro with NAT and firewall, get apache running with the few
essential docs that I need on the road, and then add the rest as I go
along, watching and hardening the new install.

Always pleased to hear feedback and suggestions, though. Thanks Job.

--
~Ohmster
ohmster at newsguy dot com

me <me@here.com> wrote in news:DFVbe.7993$BW6.836229@news20.bellglobal.com:

> Cool. You'll enjoy FC3, and FC4 is right around the corner.
>
> Me.

Downloading FC3 with wget now, looking forward to a new distro. If FC
follows the same standards as redhat, with updates, and being able to
update to the next distro, then that would be all the more better. Thanks
for the encouragment!

--
~Ohmster
ohmster at newsguy dot com

On Wed, 27 Apr 2005 22:40:10 GMT,
Ohmster (notareal@emailaddress.com) wrote:
> This is all very good advice, Baron. I have decided to install a new
> distro. I looked into the http logs, trying to match up php, cgi, or pl
> files that could do email, against web logs to see if there is a higher
> frequency of any emailable files in the logs but the challenge is
> daunting. A cat and grep through a single 7Mb log files for cgi reveals
> nothing, pl yields only a "search this site" script that cannot mail,

When you do that, you should install or make use of something like
logrotate, so you don't end up with such large log files, which as you've
learned are hard to peruse through.

Chalk this one up to experience - you've made a good decision in
deciding to do a fresh install.

Also, invest time in developing a backup system. I'll tell you
what I do. I make a complete backup on tape media every four
weeks, and an incremental backup every week. If you don't have
a tape device, you can use a removable HD, they're cheap .....

Beverly
--
Many a smale maketh a grate -- Geoffrey Chaucer

Ohmster wrote:
> "Barton L. Phillips" <bartonphillips@sbcglobal.net> wrote in
> news:DyPbe.1956$zu.1600@newssvr13.news.prodigy.com :
>
>
>>If you need your server maybe you should buy a cheap system and use it
>>while you fix the other system. You can get low end systems for as
>>little as $150. You would still be able to "do your work" without
>>doing in others. The suggestion to outsource your server temporarily
>>is also a good one.
>>
>>You could also try tightening up your iptables to restrict out going
>>traffic which might keep the malware caged a bit. Still taking the
>>system off the air is best until you fix the problem. As Bev said it
>>really shouldn't take that long to reload your system and get it back
>>up. I have done it many times for friends who have gotten in trouble
>>both with Windows and Linux. To reinstall Linux should not take more
>>than an hour. To backup and restore data might take a little longer
>>but all told it should not take more than one long day.
>>
>>As Bev said "hard medicine". I know a days lost work is hard to take
>>but sometime it is needed.
>
>
> This is all very good advice, Baron. I have decided to install a new
> distro. I looked into the http logs, trying to match up php, cgi, or pl
> files that could do email, against web logs to see if there is a higher
> frequency of any emailable files in the logs but the challenge is
> daunting. A cat and grep through a single 7Mb log files for cgi reveals
> nothing, pl yields only a "search this site" script that cannot mail,
> but php is a horse of a different color. Just one log file scrolls
> screen after screen of php pages, you can literally sit for several
> minutes, watching it all go by. Stopping to analyze it reveals general
> php traffic. This is only 1 of many http logs to go through. To actually
> examine and extract php file names, put them in an ordered list, count
> them, then examine which ones can do email, there are many, is a very
> daunting task in itself. It could be done but in the end, I get a "long
> in the tooth" redhat 9 machine that is getting older all of the time and
> really, just cannot be updated that much anymore.
>
> I have sendmail disabled as an immediate stop gap and will have a new
> distribution in place A.S.A.P.. All I really need is a modern distro
> running with NAT and firewall in place, that should not take long, then
> get my critical work files on a limited server. The rest I can take my
> time with and eventually, get the system that I want this way. If I
> cannot do this soon enough, I might just take one of the older computers
> sitting around, I think I have an HP Pavilion in the other room, and do
> you like you said, get a modern, cheap system in place for now. Yeah my
> firewall needs to be tightened up, I took firestarter because it was
> easy. Might go with shorewall this time as it has a webmin module now.
> But all of this is old news. it is time for a new distro. I am leaning
> to Fedora Core. I don't really need convincing anymore, after going
> through log after log and realizing I still have an outdated machine was
> enough for me.
>
> Good advice Baron, thanks. I got work to do now, outta here, buddy!
I am using Fedora Core 3 on one of my machines. The only downside is
that SeLinux can be a bit hard to configure and use. One can always a)
disable it, or b) set it to "Permissive" and watch your logs and work on
setting it up right. If your server needs aren't too aggressive SeLinux
might work out of the box, but I drought it.

Other than the above caveat Fedora Core 3 has worked very well for me.
You can keep it up to date with up2date, or yum, or apt. There is even a
little icon for the task tray that lets you know when new stuff comes out.

Good luck and I hope you can get your new system working for you without
too much pain.

PS: it's Barton not Baron;)

On Thu, 28 Apr 2005 02:02:23 GMT,
Barton L. Phillips (bartonphillips@sbcglobal.net) wrote:
> PS: it's Barton not Baron;)

You don't like being elevated to the peerage? Think about it, you could
go by Lord Phillips :-)

--
Many a smale maketh a grate -- Geoffrey Chaucer

On Wed, 27 Apr 2005 22:40:10 +0000, Ohmster mumbled something like this:

> To actually examine and
> extract php file names, put them in an ordered list, count them, then
> examine which ones can do email

Since most php scripts use the mail() function to send email, you could
try:

cd /location/of/your/phpfiles
grep -H mail\( *.php

The backslash is required to escape the opening bracket.

--
Rinso
/\
/ \
/wizz\
~~~~~~~~~~~~

Bev A. Kupf wrote:
> On Thu, 28 Apr 2005 02:02:23 GMT,
> Barton L. Phillips (bartonphillips@sbcglobal.net) wrote:
>
>>PS: it's Barton not Baron;)
>
>
> You don't like being elevated to the peerage? Think about it, you could
> go by Lord Phillips :-)
>
Or Don Barton. That's what some of my Mexican friends call me for fun.

Rincewind <rinso@unseen.edu> wrote in news:pan.2005.04.28.13.02.53.994971
@unseen.edu:

> Since most php scripts use the mail() function to send email, you could
> try:
>
> cd /location/of/your/phpfiles
> grep -H mail\( *.php
>
> The backslash is required to escape the opening bracket.

Oh this is excellent! I need this kind of help, will try it when I get home
from work. Thank you Rinse.

--
~Ohmster
ohmster at newsguy dot com

Ohmster wrote:
> Rincewind <rinso@unseen.edu> wrote in news:pan.2005.04.28.13.02.53.994971
> @unseen.edu:
>
>
>>Since most php scripts use the mail() function to send email, you could
>>try:
>>
>>cd /location/of/your/phpfiles
>>grep -H mail\( *.php
>>
>>The backslash is required to escape the opening bracket.
>
>
> Oh this is excellent! I need this kind of help, will try it when I get home
> from work. Thank you Rinse.
>

No!!! Stop faffing about! Your first priority is to secure that machine.

Why do you have an FTP server accepting anonymous connections with a
world writeable directory????

Why are you exposing ntp to the world? Are you an official time source?

Do you really use ntalk???

I'd say sort your firewall but it looks much more to me like you need to
get one.

"Bev A. Kupf" <bevakupf@myhome.net> wrote in
news:slrnd70gil.j7n.bevakupf@myhome.net:

> When you do that, you should install or make use of something like
> logrotate, so you don't end up with such large log files, which as
you've
> learned are hard to peruse through.

I have logrotate in place, that is why I get 4 of each log. This was such
a massive spam attack that I guess it overwhelmed the logs. With 3
domains, each making logs, it adds up.

> Chalk this one up to experience - you've made a good decision in
> deciding to do a fresh install.

Yes, I just found out that I had backdoors on the system. phpbb 2.0.6 no
doubt was the culprit. /var/tmp (Which I don't think even belongs on
redhat 9) was chock full of them. Michael found PsychoPhobia Backdoor,
Mungo found rst.b. There is a visa card phishing program, and other
stuff. This is just too much, you were right Bev, the box has no place on
the net, is outta there now. Cannot ever use that system again now. No
way.

> Also, invest time in developing a backup system. I'll tell you
> what I do. I make a complete backup on tape media every four
> weeks, and an incremental backup every week. If you don't have
> a tape device, you can use a removable HD, they're cheap .....

Will do.

> Beverly

Hope that you did not take the "hissy fit" personal, I did not intend to
launch it at you. You always had my respect, you were the one to get me
this far. Thanks Bev.

--
~Ohmster
ohmster at newsguy dot com