Steve Devine wrote:
All We are seeing a influx of spam laded web dirs in our afs cell. These are dirs that our main web server serve out of our cell for the students mostly. Here is a sample: http://www.msu.edu/~elizald2/viagra/order-viagra-overnight-delivery.html I have disabled it but you get the idea,. This dir is chock-o-block full of crap.I believe this is the work of a bot that arrives initially to the the user via a spam email. The bot then trolls through afs space (so the user is likely running windows with the client running) locates a user volume where the user has (foolishly) set system:anyuser to all acls and from there the bot can install anything it wants in the users web space and then send out spamage refering to this web space. Or this could be a compromised web server with an afs client running on it. For now we are just trolling through our cell and looking for user dirs where system:anyuser = all and then taking appropriate action as needed. I hope to get my hands on a email that refers to this space so maybe I can track it back. Any thoughts? /sd
If you are interested in knowing where the files are coming from turn on audit logs on the file servers. That will erase all doubts. But lets make something absolutely clear. If you have volumes that permit system:anyuser to write to it, there does not have to be anyspam involved. Any machine with any AFS client anywhere in the world can write to the volume. There is no need to send spam.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
