<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
<br>
If I understand this correctly the "hacked" user needs to have
ssh access in order for this to potentially happen to them?<br>
<br>
A regular web account with only ftp access (that has no ssh
access) is not vulnerable? <br>
<br>
Same with a regular email user (that has no ssh access). Not
vulnerable correct? <br>
<br>
<br>
Fortunately the only users with ssh access on my system are myself
and my partner. <br>
<br>
Ssh would be way over the heads of my hosting clients ;-)<br>
<br>
<br>
I set <br>
<pre><code>AllowTCPForwarding no</code></pre>
in my <br>
<pre id="line1"><span><a class="attribute-value">/etc/ssh/sshd_config</a></span></pre>
file per <br>
<pre wrap=""><a class="moz-txt-link-rfc2396E" href="http://www.rackaid.com/blog/spam-ssh-tunnel/"><http://www.rackaid.com/blog/spam-ssh-tunnel/></a></pre>
and it didn't break the box so... rock on and thanks for this tip!<br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
<blockquote
cite="mid:Pine.LNX.4.53.1404031630180.23005@tiger.tigerden.com"
type="cite">
<pre wrap="">Your machine can be turned into a spam engine in multiple ways, but here's
a fairly innovative twist that's very hard to pin down.
I recommend everyone read the following:
<a class="moz-txt-link-rfc2396E" href="http://www.rackaid.com/blog/spam-ssh-tunnel/"><http://www.rackaid.com/blog/spam-ssh-tunnel/></a>
Yesterday, we had a user's password compromised, by what method is
anyone's guess, but I suspect the user's home machine got a key-logger
virus. The result of this was we were unknowingly spewing spam for
several hours before our mail server IP ended up on the Spamhaus CBL block
list. Our legitimate mail started bouncing back from lots of
destinations, and that was the first clue something was wrong.
The CBL list's information page gave a lot of good pointers on things to
look for, but all of them assumed either script files being uploaded to
the machine and triggered/run by web server access, or else a nasty ssh
root-kit exploit. After hours of sleuthing, digging through logs, running
scans of the system for suspicious scripts, nothing significant was found.
In fact, there was no evidence of the web server accessing any suspicious
files at all, much less some script.
The method used was to create an ssh-tunnel that redirects a hosts port 25
to a different port at at the attacker's end. Doing this is trivial, and
is a normal, standard function of ssh...no hacking or corrupted ssh is
needed. Setting up the tunnel allows the attacker to spew mail though
*your* machine with virtually no tracks. The only thing that shows up in
logs are what appear normal ssh logins in the auth/secure log files...the
only suspicious part is where the logins originate. The user ssh logins
won't show in the 'last' wtmp file, since ssh access dosen't show up as an
interactive login. And bash command history is easily turned off.
The method *does* require the attacker have a valid password for a user,
so password security is, as always, important. But from a local admin's
perspective, there's nothing to insure somebody's password won't leak or
be stolen from the user's own machine.
Another shield against this sort of thing is to use iptables, or on some
servers, features in the web admin pages to totally block access port 25
by users, but allowing access by 'mail', 'mailman', 'smtp' or whatever
other user/group that the server's mail system uses.
I hope this info might save somebody else the all-nighter I just pulled to
get us off the block list.
=^_^= Tigerwolf
_______________________________________________
Blueonyx mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a>
<a class="moz-txt-link-freetext" href="http://mail.blueonyx.it/mailman/listinfo/blueonyx">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a>
</pre>
</blockquote>
<br>
</body>
</html>