Apache hacked - Hackers put mails via invalid URL

Discussion in 'Linux Networking' started by xmontero, Jun 3, 2008.

  1. xmontero

    xmontero Guest

    Hello all, my 1st post here.

    I have found my Linux box hacked. The hacker inserts hundreds/
    thousands of outgoing mails into my mailq.

    1) I clean the mailq
    2) mailq reports empty.
    3) tail -f /var/log/apache/error.log
    [I wait...]
    4) Suddenlty in the logs I have:
    [Sun Jun 1 11:43:09 2008] [error] [client] File does
    not exist: /var/www/custom_www/dsitelecom.com/www/http://
    [Sun Jun 1 11:44:14 2008] [error] [client] File does
    not exist: /var/www/custom_www/dsitelecom.com/www/http://
    5) mailq reports hundreds of mails.

    I have accessed http://www.geocities.com/sam_osagie01/fire4fire.html
    and it seems a form with fields to do spam (content, from, destination
    list, etc)

    I have looked at /var/www/custom_www/dsitelecom.com/www/ and the index
    are mine and there is no .htaccess which makes any kind of rewrites
    nor anything like this.

    I need to understand this in order to stop they coming in. My current
    method is to ban the attacking IP via iptables but of course when they
    use a different IP I'm violated again.

    Does anybody know how the devil is this working? How do they put
    outgoing-spam in my mailq?

    xmontero, Jun 3, 2008
    1. Advertisements

  2. Playing whack-a-mole with attackers is just an exercise in frustration.
    Take it off-line. Save anything that you cannot replace. Reinstall, with
    particular attention to security. Don't put it back on line until you
    know it's tight.
    John Thompson, Jun 3, 2008
    1. Advertisements

  3. xmontero

    Unruh Guest

    Just to emphasise what he says. Your system has been cracked. They are
    sending the emails via a local user or they have hacked your
    sendmail/postfix/... so that it accepts forwarding.
    Unruh, Jun 3, 2008
  4. xmontero

    Chris Davies Guest

    Maybe there's a vulnerable script on his website that allows sending of
    arbitrarily addressed emails.

    Chris Davies, Jun 3, 2008
  5. xmontero

    Burkhard Ott Guest

    Am Mon, 02 Jun 2008 16:23:40 -0700 schrieb xmontero:

    File inclusion, so they execute the geocities script on you server it's
    also possible to mount a php shell.

    Fix your script and turn display errors off, that makes it a little harder
    to find your mistakes via google.

    Burkhard Ott, Jun 3, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.