Slashdot Mirror

← Back to Stories (view on slashdot.org)

Examining an Automated Spam Tool

Posted by michael on from the processed-meat dept.

Saint Aardvark writes "SecurityFocus has published an excellent column detailing how spammers r00ted an Apache server, and used it to send spam. The tool they used is (I hate to admit it) pretty sophisticated: it has macro capabilities, picks up email addresses from and reports success or failure to the master server. It's a very frightening read...and so is this: Message Labs reports that they now intercept 27 spam emails per second, up from 2 per second this time last year. Virus-created proxies are mainly to blame."

15 of 415 comments (clear)

  1. Spammers know what they're doing by bigberk · · Score: 5, Informative

    Spam is profitable, and this is becoming a huge underground business. Spammers regularly compromise other systems and install sophisticated software to allow easier spamming. Here's a document that describes the link between spam and viruses

  2. Re:(Slightly OT) Apache R00ted?? by SuiteSisterMary · · Score: 5, Informative

    No, and apache didn't get rooted, either. A poorly written PHP script did.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  3. Re:stupid gap in PHP... by james_orr · · Score: 3, Informative

    That's no longer the default. Not sure what version changed it.

  4. Re:(Slightly OT) Apache R00ted?? by Wyzard · · Score: 2, Informative

    Actually, nowhere does it say that root privilege was used at all -- the attack was against a PHP interpreter embedded in an Apache binary running as www-data, and it started a new process which also ran as www-data. The article summary is a bit misleading.

  5. spamtools by AeiwiMaster · · Score: 5, Informative

    Hi

    I have made an eigenpoll
    to find the best spamtools.

    First ranking the tools you know,
    the it runs some data minning and find the best tool.

    Right now the list looks like.

    sa-exim
    Outclass
    Mail Scanner
    spamprobe
    POPFile
    SpamBayes
    SpamAssass in
    Vipul's Razor
    Blackmail
    bogofilter
    Infinospam
    Spamthis
    Shovel
    SpamBouncer
    Declude JunkMail
    spamhole

  6. Re:stupid gap in PHP... by justMichael · · Score: 2, Informative

    Actually it's a stupid gap in admins and developers.

    You see Register Globals has been OFF by default since 4.2.0 which was released 22-Apr-2002.

    But yes it is a mess.

  7. how to fix the problem by Brandon+T. · · Score: 5, Informative
    You can fix this problem by catching attempts to modify the $GEEKLOG_DIR file via get or post methods at the top of the gallery/classes/geeklog/User.php file. Insert this line:
    if (isset($_GET['GEEKLOG_DIR']) ||
    isset($_POST['GEEKLOG_DIR'])||
    isset($_SESSION['GEEKLOG_DIR']))
    die('nice try buddy.');
    }
    The $GEEKLOG_DIR variable is actually set at the end of the gallery init file, so it should not be coming from any other directories. This is another example of why it's bad to leave register_globals on, as the whole problem could have been avoided otherwise.
    1. Re:how to fix the problem by James_G · · Score: 3, Informative
      This is another example of why it's bad to leave register_globals on, as the whole problem could have been avoided otherwise.

      Except.. it wouldn't have, in this case at least. Gallery works with register_globals turned off, I just checked.. but then I noticed the code (this is in init.php if anyone wants to check):

      if (!$gallery->register_globals) {
      if (is_array($HTTP_GET_VARS)) {
      extract($HTTP_GET_VARS);
      }

      if (is_array($HTTP_POST_VARS)) {
      extract($HTTP_POST_VARS);
      }

      The extract() function basically takes everything from the _GET and _POST arrays and dumps them straight into the appropriate variables, which is exactly what register_globals does. Whether it was turned on or off, you would still be able to pollute the $GEEKLOG_DIR variable via get/post. This is a pretty braindead piece of coding right here, and makes me a little worried about using gallery. I hope they plan to fix this in the future.

  8. Re:stupid gap in PHP... by kisrael · · Score: 2, Informative

    Guh...that previous comment was NOT flamebait and was NOT offtopic...if you RTFA, this misfeature of earlier versions of PHP is exactly the exploit used to hook into the system.

    Frickin' moderators, so many people are so quick on the negative triggers, and not in a helpful way.

    --
    SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
  9. Re:New protocol? by gfilion · · Score: 2, Informative

    Also, I think the messages should be stored on the relay, with just a URL sent in the mail body. It would solve two problems: * The size of the message will be limited by the size of the sender's mailbox. * It will use more resources on the relay, and the admin should be less likely to run an open relay.

    This has allready been proposed by Dan Bernstein: IM2000

  10. Re:New protocol? by quantum+bit · · Score: 2, Informative

    There is. Check out SPF. It's simple, built on existing protocols (DNS), and 100% djb-free.

  11. Re:Not just "sounding better", he is correct usage by spaceyhackerlady · · Score: 2, Informative

    Uh, no. Using "he" as a generic 3rd person pronoun is deprecated, and has been so for a long time. Though I cringe at the thought of women being spammers, and would hope that women would have more sense. :-)

    Note that both your references have notations about generic usage and the problems that arise.

    The least worst I've heard recently is singular "they".

    ...laura

  12. Hatred of DJB by ErikTheRed · · Score: 2, Informative

    I haven't met the guy and tend to hold him in reasonably high regard based on what I've read of his writings on the Internet. That being said, he appears to be extremely opinionated and tends to say or imply that certain people that disagre with him are idiots. While this may be the case (or may not be; I have no idea, but I'll give djb the benefit of the doubt), his tendency to express himself so bluntly probably turns many people off.

    --

    Help save the critically endangered Blue Iguana
  13. Re:Questions for you Linux experts out there by Anonymous Coward · · Score: 1, Informative

    1. No. A badly written PHP script as exploited to get the same access as the local user running the web server. (Note here that the web server used is irrelevant). This is definately not _rooted_ however.

    2. Any user can use chmod to change the permissions on their files. You can not however arbitarily set ownership, which is good. Otherwise you can set a file setuid, then assign it the owner of root. (Which would be bad). Not being able to chmod, would stop a lot of scipts from working (setting write access to data files, etc)

    3. It's a good start, but that wasn't the problem here. It was bad non defensive programing, using the extract() function. see http://slashdot.org/comments.pl?sid=88632&cid=7675 493

    4. You can do this using ifconfig if you like. Simply do a ifconfig every x time.
    Use the difference in the TX packets. There are useful network monitors about. For example KDE system guard allows you to view the tx and rx Kb/sec rates in semi-realtime.

  14. Re:Questions for you Linux experts out there by CTachyon · · Score: 2, Informative
    1. Technically no, the spammer never got root. The spambot was sending spam as an unprivileged user (the same one that Apache ran as), which is still plenty to run a spambot.
    2. Any user can chmod files that he/she/it owns, even to deny him/her/itself access and then chmod it back.
    3. In this case, apparently not, although it should be.
    4. There isn't anything built in at the command line to do it for you (at least, in any distro I'm aware of). You can kinda kludge it by reading /proc/net/dev, waiting 5 seconds, reading it again, and dividing the difference in bytes by 5. Hell, in fact, here's a Perl script I just knocked out to do it: bw-usage.pl. (You'll need Time::HiRes from CPAN; you can install it with perl -MCPAN -e 'install("Time::HiRes")' as root.)
    --
    Range Voting: preference intensity matters