Slashdot Mirror

← Back to Stories (view on slashdot.org)

Examining an Automated Spam Tool

Posted by michael on from the processed-meat dept.

Saint Aardvark writes "SecurityFocus has published an excellent column detailing how spammers r00ted an Apache server, and used it to send spam. The tool they used is (I hate to admit it) pretty sophisticated: it has macro capabilities, picks up email addresses from and reports success or failure to the master server. It's a very frightening read...and so is this: Message Labs reports that they now intercept 27 spam emails per second, up from 2 per second this time last year. Virus-created proxies are mainly to blame."

6 of 415 comments (clear)

  1. Spammers know what they're doing by bigberk · · Score: 5, Informative

    Spam is profitable, and this is becoming a huge underground business. Spammers regularly compromise other systems and install sophisticated software to allow easier spamming. Here's a document that describes the link between spam and viruses

  2. Re:(Slightly OT) Apache R00ted?? by SuiteSisterMary · · Score: 5, Informative

    No, and apache didn't get rooted, either. A poorly written PHP script did.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  3. Re:stupid gap in PHP... by james_orr · · Score: 3, Informative

    That's no longer the default. Not sure what version changed it.

  4. spamtools by AeiwiMaster · · Score: 5, Informative

    Hi

    I have made an eigenpoll
    to find the best spamtools.

    First ranking the tools you know,
    the it runs some data minning and find the best tool.

    Right now the list looks like.

    sa-exim
    Outclass
    Mail Scanner
    spamprobe
    POPFile
    SpamBayes
    SpamAssass in
    Vipul's Razor
    Blackmail
    bogofilter
    Infinospam
    Spamthis
    Shovel
    SpamBouncer
    Declude JunkMail
    spamhole

  5. how to fix the problem by Brandon+T. · · Score: 5, Informative
    You can fix this problem by catching attempts to modify the $GEEKLOG_DIR file via get or post methods at the top of the gallery/classes/geeklog/User.php file. Insert this line:
    if (isset($_GET['GEEKLOG_DIR']) ||
    isset($_POST['GEEKLOG_DIR'])||
    isset($_SESSION['GEEKLOG_DIR']))
    die('nice try buddy.');
    }
    The $GEEKLOG_DIR variable is actually set at the end of the gallery init file, so it should not be coming from any other directories. This is another example of why it's bad to leave register_globals on, as the whole problem could have been avoided otherwise.
    1. Re:how to fix the problem by James_G · · Score: 3, Informative
      This is another example of why it's bad to leave register_globals on, as the whole problem could have been avoided otherwise.

      Except.. it wouldn't have, in this case at least. Gallery works with register_globals turned off, I just checked.. but then I noticed the code (this is in init.php if anyone wants to check):

      if (!$gallery->register_globals) {
      if (is_array($HTTP_GET_VARS)) {
      extract($HTTP_GET_VARS);
      }

      if (is_array($HTTP_POST_VARS)) {
      extract($HTTP_POST_VARS);
      }

      The extract() function basically takes everything from the _GET and _POST arrays and dumps them straight into the appropriate variables, which is exactly what register_globals does. Whether it was turned on or off, you would still be able to pollute the $GEEKLOG_DIR variable via get/post. This is a pretty braindead piece of coding right here, and makes me a little worried about using gallery. I hope they plan to fix this in the future.