Jeffrey Altman wrote: > Steve Devine wrote: >> All >> We are seeing a influx of spam laded web dirs in our afs cell. >> These are dirs that our main web server serve out of our cell for the >> students mostly. >> Here is a sample: >> http://www.msu.edu/~elizald2/viagra/order-viagra-overnight-delivery.html >> I have disabled it but you get the idea,. This dir is chock-o-block full >> of crap. >> >> I believe this is the work of a bot that arrives initially to the the >> user via a spam email. >> The bot then trolls through afs space (so the user is likely running >> windows with the client running) locates a user volume where the user >> has (foolishly) set system:anyuser to all acls and from there the bot >> can install anything it wants in the users web space and then send out >> spamage refering to this web space. >> >> Or this could be a compromised web server with an afs client running on >> it. >> >> For now we are just trolling through our cell and looking for user dirs >> where system:anyuser = all and then taking appropriate action as needed. >> >> I hope to get my hands on a email that refers to this space so maybe I >> can track it back. >> >> Any thoughts? >> /sd > > If you are interested in knowing where the files are coming from turn > on audit logs on the file servers. That will erase all doubts. Ok does this require a fileserver restart? I also worry about the size of the logs. > > But lets make something absolutely clear. If you have volumes that > permit system:anyuser to write to it, there does not have to be any > spam involved. Any machine with any AFS client anywhere in the world > can write to the volume. There is no need to send spam. > > Jeffrey Altman >
-- Steve Devine Email & Storage Academic Computing & Network Services Michigan State University 313 Computer Center East Lansing, MI 48824-1042 1-517-432-7327 Baseball is ninety percent mental; the other half is physical. - Yogi Berra _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
