[BlueOnyx:13976] Spam Attack Vector
Rodrigo Ordonez Licona
rordonez at xnet.com.mx
Sun Nov 3 20:25:39 -05 2013
Hope the people of this List Wll find this information useful,
We had a new spam attack this morning, our sendmail was flooded with emails,
marked with the origin of apache, However, there was no php script related
at the time of the Spam deliveries.
The culprit was a cron job executed from /tmp That inserted several hundreds
email to /var/spool/clientmqueue
To find it we were able to see a cron job being run by the apache user, with
ps aux | grep apache
after that we searched /var/log/cron for traces of apache usage and we were
pointed to /tmp/session_xxxx file.
>From that file we got a date and time that we looked on the
/var/log/httpd/access_log file
and found the culprit an ftp user gave away the password and allowed an
attacker to upload such file.
This is a 5106 Virtual Server . However I think apache user shouldn't be
able to install cron files.
To prevent the spam attack using cron, we recommend using this setting
Add apache to the file /etc/cron.deny so apache wont be allowed to use cron.
Even if an attacker is able to obtain a valid user from your system
Regards
Rodrigo O
More information about the Blueonyx
mailing list