Apache hacked - Hackers put mails via invalid URL

Discussion in 'Linux Networking' started by xmontero, Jun 3, 2008.

  1. xmontero

    xmontero Guest

    Hello all, my 1st post here.

    I have found my Linux box hacked. The hacker inserts hundreds/
    thousands of outgoing mails into my mailq.

    1) I clean the mailq
    2) mailq reports empty.
    3) tail -f /var/log/apache/error.log
    [I wait...]
    4) Suddenlty in the logs I have:
    [Sun Jun 1 11:43:09 2008] [error] [client 64.151.82.172] File does
    not exist: /var/www/custom_www/dsitelecom.com/www/http://
    www.geocities.com/sam_osagie01/fire4fire.html
    [Sun Jun 1 11:44:14 2008] [error] [client 64.151.82.172] File does
    not exist: /var/www/custom_www/dsitelecom.com/www/http://
    www.geocities.com/sam_osagie01/fire4fire.html
    5) mailq reports hundreds of mails.

    I have accessed http://www.geocities.com/sam_osagie01/fire4fire.html
    and it seems a form with fields to do spam (content, from, destination
    list, etc)

    I have looked at /var/www/custom_www/dsitelecom.com/www/ and the index
    are mine and there is no .htaccess which makes any kind of rewrites
    nor anything like this.

    I need to understand this in order to stop they coming in. My current
    method is to ban the attacking IP via iptables but of course when they
    use a different IP I'm violated again.

    Does anybody know how the devil is this working? How do they put
    outgoing-spam in my mailq?

    Thanks!
    Xavi.
     
    xmontero, Jun 3, 2008
    #1
    1. Advertisements

  2. Playing whack-a-mole with attackers is just an exercise in frustration.
    Take it off-line. Save anything that you cannot replace. Reinstall, with
    particular attention to security. Don't put it back on line until you
    know it's tight.
     
    John Thompson, Jun 3, 2008
    #2
    1. Advertisements

  3. xmontero

    Unruh Guest

    Just to emphasise what he says. Your system has been cracked. They are
    sending the emails via a local user or they have hacked your
    sendmail/postfix/... so that it accepts forwarding.
     
    Unruh, Jun 3, 2008
    #3
  4. xmontero

    Chris Davies Guest

    Maybe there's a vulnerable script on his website that allows sending of
    arbitrarily addressed emails.

    Chris
     
    Chris Davies, Jun 3, 2008
    #4
  5. xmontero

    Burkhard Ott Guest

    Am Mon, 02 Jun 2008 16:23:40 -0700 schrieb xmontero:
    e.g:
    http://www.dsitelecom.com/dsi.php?lang=esp&file=rma2
    ^^^^^^^^^^

    File inclusion, so they execute the geocities script on you server it's
    also possible to mount a php shell.

    Fix your script and turn display errors off, that makes it a little harder
    to find your mistakes via google.


    cheers
     
    Burkhard Ott, Jun 3, 2008
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.