[BlueOnyx:15093] Re: Securing against invading spammers

webmaster webmaster at oldcabin.net
Sun Apr 6 01:44:20 -05 2014 


If I understand this correctly the  "hacked" user needs to have ssh 
access in order for this to potentially happen to them?

A regular web account with only ftp access  (that has no ssh access) is 
not vulnerable?

Same with a regular email user (that has no ssh access).   Not 
vulnerable correct?


Fortunately the only users with ssh access on my system are myself and 
my partner.

Ssh would be way over the heads of my hosting clients ;-)


I set

|AllowTCPForwarding no|

in my

/etc/ssh/sshd_config

file per

<http://www.rackaid.com/blog/spam-ssh-tunnel/>

and it didn't break the box so... rock on and thanks for this tip!






> Your machine can be turned into a spam engine in multiple ways, but here's
> a fairly innovative twist that's very hard to pin down.
>
> I recommend everyone read the following:
>
> <http://www.rackaid.com/blog/spam-ssh-tunnel/>
>
> Yesterday, we had a user's password compromised, by what method is
> anyone's guess, but I suspect the user's home machine got a key-logger
> virus.  The result of this was we were unknowingly spewing spam for
> several hours before our mail server IP ended up on the Spamhaus CBL block
> list.  Our legitimate mail started bouncing back from lots of
> destinations, and that was the first clue something was wrong.
>
> The CBL list's information page gave a lot of good pointers on things to
> look for, but all of them assumed either script files being uploaded to
> the machine and triggered/run by web server access, or else a nasty ssh
> root-kit exploit.  After hours of sleuthing, digging through logs, running
> scans of the system for suspicious scripts, nothing significant was found.
> In fact, there was no evidence of the web server accessing any suspicious
> files at all, much less some script.
>
> The method used was to create an ssh-tunnel that redirects a hosts port 25
> to a different port at at the attacker's end.  Doing this is trivial, and
> is a normal, standard function of ssh...no hacking or corrupted ssh is
> needed.  Setting up the tunnel allows the attacker to spew mail though
> *your* machine with virtually no tracks.  The only thing that shows up in
> logs are what appear normal ssh logins in the auth/secure log files...the
> only suspicious part is where the logins originate.  The user ssh logins
> won't show in the 'last' wtmp file, since ssh access dosen't show up as an
> interactive login.  And bash command history is easily turned off.
>
> The method *does* require the attacker have a valid password for a user,
> so password security is, as always, important.  But from a local admin's
> perspective, there's nothing to insure somebody's password won't leak or
> be stolen from the user's own machine.
>
> Another shield against this sort of thing is to use iptables, or on some
> servers, features in the web admin pages to totally block access port 25
> by users, but allowing access by 'mail', 'mailman', 'smtp' or whatever
> other user/group that the server's mail system uses.
>
> I hope this info might save somebody else the all-nighter I just pulled to
> get us off the block list.
>
> =^_^=  Tigerwolf
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20140406/f15c92b6/attachment.html>

More information about the Blueonyx mailing list