Apache hacked - Hackers put mails via invalid URL

Hello all, my 1st post here.

I have found my Linux box hacked. The hacker inserts hundreds/
thousands of outgoing mails into my mailq.

1) I clean the mailq
2) mailq reports empty.
3) tail -f /var/log/apache/error.log
[I wait...]
4) Suddenlty in the logs I have:
[Sun Jun 1 11:43:09 2008] [error] [client 64.151.82.172] File does
not exist: /var/www/custom_www/dsitelecom.com/www/http://
www.geocities.com/sam_osagie01/fire4fire.html
[Sun Jun 1 11:44:14 2008] [error] [client 64.151.82.172] File does
not exist: /var/www/custom_www/dsitelecom.com/www/http://
www.geocities.com/sam_osagie01/fire4fire.html
5) mailq reports hundreds of mails.

I have accessed http://www.geocities.com/sam_osagie01/fire4fire.html
and it seems a form with fields to do spam (content, from, destination
list, etc)

I have looked at /var/www/custom_www/dsitelecom.com/www/ and the index
are mine and there is no .htaccess which makes any kind of rewrites
nor anything like this.

I need to understand this in order to stop they coming in. My current
method is to ban the attacking IP via iptables but of course when they
use a different IP I'm violated again.

Does anybody know how the devil is this working? How do they put
outgoing-spam in my mailq?

Thanks!
Xavi.

On 2008-06-02, xmontero <(E-Mail Removed)> wrote:

> I have found my Linux box hacked. The hacker inserts hundreds/
> thousands of outgoing mails into my mailq.

[...]

> I need to understand this in order to stop they coming in. My current
> method is to ban the attacking IP via iptables but of course when they
> use a different IP I'm violated again.

Playing whack-a-mole with attackers is just an exercise in frustration.

> Does anybody know how the devil is this working? How do they put
> outgoing-spam in my mailq?

Take it off-line. Save anything that you cannot replace. Reinstall, with
particular attention to security. Don't put it back on line until you
know it's tight.

--

John ((E-Mail Removed))

John Thompson <(E-Mail Removed)> writes:

>On 2008-06-02, xmontero <(E-Mail Removed)> wrote:

>> I have found my Linux box hacked. The hacker inserts hundreds/
>> thousands of outgoing mails into my mailq.

> [...]

>> I need to understand this in order to stop they coming in. My current
>> method is to ban the attacking IP via iptables but of course when they
>> use a different IP I'm violated again.

>Playing whack-a-mole with attackers is just an exercise in frustration.

>> Does anybody know how the devil is this working? How do they put
>> outgoing-spam in my mailq?

>Take it off-line. Save anything that you cannot replace. Reinstall, with
>particular attention to security. Don't put it back on line until you
>know it's tight.

Just to emphasise what he says. Your system has been cracked. They are
sending the emails via a local user or they have hacked your
sendmail/postfix/... so that it accepts forwarding.


>--

>John ((E-Mail Removed))

Unruh <unruh-(E-Mail Removed)> wrote:
> Just to emphasise what he says. Your system has been cracked. They are
> sending the emails via a local user or they have hacked your
> sendmail/postfix/... so that it accepts forwarding.

Maybe there's a vulnerable script on his website that allows sending of
arbitrarily addressed emails.

Chris

Am Mon, 02 Jun 2008 16:23:40 -0700 schrieb xmontero:

> Hello all, my 1st post here.
>
> I have found my Linux box hacked. The hacker inserts hundreds/
> thousands of outgoing mails into my mailq.
>

e.g:
http://www.dsitelecom.com/dsi.php?lang=esp&file=rma2
^^^^^^^^^^

File inclusion, so they execute the geocities script on you server it's
also possible to mount a php shell.

Fix your script and turn display errors off, that makes it a little harder
to find your mistakes via google.


cheers