Re: sendmail compromised - Somebody help me!

Ohmster wrote:

> Michael Pelletier <mjpelletier@mjpelletier.com> wrote in
> news:Z_Tae.64983$A31.61016@fed1read03:
>
>
>>Yes. I agree. It appears to be coming from APACHE. Shutdown APACHE
>>until you fix your CGI stuff..
>>
>>Michael
>
>
> Ugh, it is looking that way. Please read my reply to Unruh above. In the
> process of replying to him, I ran a top session in a ssh term from my local
> machine and found apache running a perl script that was eating 99% of my
> CPU. This continued and I had to shut down httpd and then kill the runaway
> perl process. How can I investigate this further? Thank you for your help,
> I need more of it though.
>
> Is there some kind of rootkit or something that I should run or do you
> think that some spammer has just found a weak cgi script and is exploiting
> the hell out of it?
>

<short summary: OP runs webserver on a DSL-connection. Recently spam
injected by his webserver is clogging his mailqueue. Distribution is
RedHat 9 and no, he has not heard about fedoralegacy>


Ohmster,


Since you admit to running a server with multiple services and no
updates for a year (Afaik RH own support for 9 ran out middle of last
year and you have obviously never heard of http://fedoralegacy.org/)
your box might very well be owned already.

I would not trust that machine one bit and advise you to pull it of the
net, do a clean install (RH9 should be okay, but you need to make sure
that yum is pointing to the fedora-legacy repositories) and then update
it from behind a NAT-Gateway. Look for new updates regulary, subscribe
yourself to security-related mailinglists like bugtraq or cert.

Your spam problem however look like a formail exploit or something along
that line. An intruder with root access can send mail anyway he wants to
and does not need your webserver to invoke sendmail (let alone leave 7
Megs of logfiles for you to see).

Once you found out what script is vulnerable, ask a perl or php
newsgroup for advise. If you slap the same thing onto a cleanly
installed server it will still be unsafe.

And please educate yourself about security. There are tons of free
online resources.

Followup goes to comp.os.linux.security. This has nothing to do with
sendmail.


Regards
sue

susan barnes <susans-spamtrap@uni-koeln.de> wrote in news:3d2m97F6o2feoU1
@individual.net:

> Once you found out what script is vulnerable, ask a perl or php
> newsgroup for advise. If you slap the same thing onto a cleanly
> installed server it will still be unsafe.
>
> And please educate yourself about security. There are tons of free
> online resources.
>
> Followup goes to comp.os.linux.security. This has nothing to do with
> sendmail.
>
>
> Regards
> sue

Sounds like good advice, at least we got this far and I have a handle on
which way to go now. Thanks Sue.

--
~Ohmster
ohmster at newsguy dot com

susan barnes <susans-spamtrap@uni-koeln.de> wrote in news:3d2m97F6o2feoU1
@individual.net:

> And please educate yourself about security. There are tons of free
> online resources.
>
> Followup goes to comp.os.linux.security. This has nothing to do with
> sendmail.

I am working on the education, Sue. It takes time but sure has become a
priority as of late. Good URLs would be appreciated.

Thanks for bringing this discussion to comp.os.linux.security. I have
created a new post, "apache compromised to send spam, need way to check
file access" that I just posted here. Keeping fingers crossed that I might
get the kind of help that I need to get going in the right direction.

--
~Ohmster
ohmster at newsguy dot com

susan barnes <susans-spamtrap@uni-koeln.de> wrote in news:3d2m97F6o2feoU1
@individual.net:

> Since you admit to running a server with multiple services and no
> updates for a year (Afaik RH own support for 9 ran out middle of last
> year and you have obviously never heard of http://fedoralegacy.org/)
> your box might very well be owned already.

The box is not "owned already" but I do appreciate your concern. It is an
apache cgi exploit and we will find it. The security on the box is actually
pretty good, this is the only incident of a security nature to ever appear
on this unit.

I now have the fedoralegacy website bookmaked and shorcutted and will be
studying this closely, thank you for showing me the way, Susan.

--
~Ohmster
ohmster at newsguy dot com

Renegade <inv@lid.net> wrote in
news:k47be.30775$_t3.7481@tornado.tampabay.rr.com:

> Ownership in this case is a matter of semantics. As I see it, if you
> do not have 100% control, then you no longer fully own the system.
> Right now you have more of a "shared partnership" with an unknown
> party that has the same level of control (or possibly more) as you.
> You do not yet know the full extent of the exploit, therefore the
> results of any tools or commands that you run should not be trusted as
> valid information (unless you run them from a live-cd or similar). In
> that light, you could consider the system as "owned".

Uh, okay. What do you suggest, Renegade? RPG? Napalm? Thermite perhaps?

Yeah we got problems but I am working on it. So far as someone else
having more control over it than I do, I doubt that very much, I can
always pull the plug. I don't think anyone else can. Will do a rootkit on
the system as soon as I can get one and read up on it and try some of the
very good and helpful suggestions given to me in this and in the sendmail
newsgroups. Will report progress to the newsgroup as a thanks to those
that took the time to offer assistance and to put finality to this issue.

A knoppix CD is not a bad idea at all though, good tip, buddy.

....the RPG does sound like more fun, though. :P

--
~Ohmster
ohmster at newsguy dot com

On Mon, 25 Apr 2005 23:12:10 +0000, Ohmster wrote:

> Renegade <inv@lid.net> wrote in
> news:k47be.30775$_t3.7481@tornado.tampabay.rr.com:
>
>> Ownership in this case is a matter of semantics. As I see it, if you
>> do not have 100% control, then you no longer fully own the system.
>> Right now you have more of a "shared partnership" with an unknown
>> party that has the same level of control (or possibly more) as you.
>> You do not yet know the full extent of the exploit, therefore the
>> results of any tools or commands that you run should not be trusted as
>> valid information (unless you run them from a live-cd or similar). In
>> that light, you could consider the system as "owned".
>
> Uh, okay. What do you suggest, Renegade? RPG? Napalm? Thermite perhaps?
>
> Yeah we got problems but I am working on it. So far as someone else
> having more control over it than I do, I doubt that very much, I can
> always pull the plug.

Pull the plug right now.

> I don't think anyone else can.

Well I won't do it. But if you don't think anyone else can then you are
fooling yourself.

> Will do a rootkit on
> the system as soon as I can get one and read up on it and try some of the
> very good and helpful suggestions given to me in this and in the sendmail
> newsgroups. Will report progress to the newsgroup as a thanks to those
> that took the time to offer assistance and to put finality to this issue.
>
> A knoppix CD is not a bad idea at all though, good tip, buddy.
>
> ...the RPG does sound like more fun, though. :P

Newsbox <nospam_for_me_please@thanks.invalid> wrote in
news:tpadnVZgjZS_WPDfRVn-gg@acadia.net:

> Pull the plug right now.
>
>> I don't think anyone else can.
>
> Well I won't do it. But if you don't think anyone else can then you
are
> fooling yourself.

....sigh. I already told the newsgroup that I *need* these webservers. I
already told the group that I cannot replace the distro right now. I
already told the newsgroup that I need help to catch a sneaky apche
spammer. I will replace the redhat box with FC, probably at the end of
the year. I have no bank records on this machine, no my windows machines
are not filled with spyware and viruses, my windows machines are not
vulnarable on the net. My registries are clean.

How does "pull the plug" help? Is that what your mechanic tells you when
you bring in an older car? Gee, it is old and I can find oh, 30 things
wrong with it. Throw it out and get a new car. Uh, could you like just
fix the freaking brakes like I want and like I brought it in here for or
maybe just buy me a new car then?

"Pulling the plug" is not an option unless you are going to let me borrow
your nice new FC3 or RHEL computer in the meantime. I did get some good
tips in here so I am pleased and have things to work on. Actually you
gave me some good tips too. Unfortunatly, this was not one of them.

Thanks anyway Newsbox. Take care.

--
~Ohmster
ohmster at newsguy dot com

Newsbox <nospam_for_me_please@thanks.invalid> wrote in
news:tpadnVZgjZS_WPDfRVn-gg@acadia.net:

> Pull the plug right now.

P.S. I did shutdown sendmail though, until I can find a way to plug this
hole and maybe allow sendmail to only accept mail for maybe 20 email
addresses on an approved list or something like that.

I cannot, in good concious, allow this spamming from my machine to
continue. It just isn't right.

Cheers.

--
~Ohmster
ohmster at newsguy dot com

On Tue, 26 Apr 2005 15:39:51 GMT,
Ohmster (notareal@emailaddress.com) wrote:
> Newsbox <nospam_for_me_please@thanks.invalid> wrote in
> news:tpadnVZgjZS_WPDfRVn-gg@acadia.net:
>
>> Pull the plug right now.
>
> P.S. I did shutdown sendmail though, until I can find a way to plug this
> hole and maybe allow sendmail to only accept mail for maybe 20 email
> addresses on an approved list or something like that.
>
> I cannot, in good concious, allow this spamming from my machine to
> continue. It just isn't right.

Ohmster - I realize that you want to keep your machine online. If it
is on the internet, whether you are sendmail or not, your machine
remains compromised.

The problem with this is - if someone has remotely taken control of
your machine, he/she can use it as a base to take control of other
machines. Knowlingly leaving a compromised machine on the network,
kind of makes you at least a bad citizen, at worst an accessory to
the "crime".

What would you do if your machine were used as a basis to launch an
attack against the FBI? It would be very difficult to claim innocence,
knowing what you do, and with _their_ knowing what you've posted on
Usenet.

I would urge you to give the matter some serious consideration, before
sticking with your decision to just disable sendmail, and leave the
box online.

Beverly
--
Many a smale maketh a grate -- Geoffrey Chaucer

On Tue, 26 Apr 2005 16:23:20 GMT,
Bev A. Kupf (bevakupf@myhome.net) wrote:
> On Tue, 26 Apr 2005 15:39:51 GMT,
> Ohmster (notareal@emailaddress.com) wrote:
>> Newsbox <nospam_for_me_please@thanks.invalid> wrote in
>> news:tpadnVZgjZS_WPDfRVn-gg@acadia.net:
>>
>>> Pull the plug right now.
>>
>> P.S. I did shutdown sendmail though, until I can find a way to plug this
>> hole and maybe allow sendmail to only accept mail for maybe 20 email
>> addresses on an approved list or something like that.
>>
>> I cannot, in good concious, allow this spamming from my machine to
>> continue. It just isn't right.
>
> Ohmster - I realize that you want to keep your machine online. If it
> is on the internet, whether you are sendmail or not, your machine
^
using

Oops, missed a word. The rest still stands.

> remains compromised.
>
> The problem with this is - if someone has remotely taken control of
> your machine, he/she can use it as a base to take control of other
> machines. Knowlingly leaving a compromised machine on the network,
> kind of makes you at least a bad citizen, at worst an accessory to
> the "crime".
>
> What would you do if your machine were used as a basis to launch an
> attack against the FBI? It would be very difficult to claim innocence,
> knowing what you do, and with _their_ knowing what you've posted on
> Usenet.
>
> I would urge you to give the matter some serious consideration, before
> sticking with your decision to just disable sendmail, and leave the
> box online.
>
> Beverly
--
Many a smale maketh a grate -- Geoffrey Chaucer