From: Robin Lynn Frank (no email)
Date: Mon May 16 2005 - 02:11:27 EDT
On Sun, 2005-05-15 at 21:34, /dev/rob0 wrote:
> On Sunday 15 May 2005 11:44, Kevin Pang wrote:
> > "Robin Lynn Frank" wrote:
> > > There is a known exploit of all but the most recent Awstats that
> > > can produce exactly this type of problem. There was a thread on
> > > this list several months ago. Check the archives.
> >
> > Unfortunately I can't find any threads related with Awstats exploit.
> > I didn't Awstats could also be used as mail log analyzer and I use it
> > for apache log only.
>
> And your spammer used it to send out some spew! Why are you thinking
> that what YOU use awstats for would somehow make you safe from ...
>
> A Known Exploit of Awstats.
>
> You have been had. Take your HTTPD down right away. It's possible that
> your spammer has shell access too ... and once there, root is usually
> not far away.
>
> A friend of mine had awstats exploited just like this. Check it
> COMPLETELY before you allow it on the Internet. It's possible (and not
> unlikely) that you were not 0wn3d by this creature, but act on the
> worst case assumption until proven otherwise.
>
> First things first! Stop your spew. Later, try to figure out what
> happened ... but I assure you ... it was awstats!
Unfortunately, there are many folks who set up servers and assume that
if it is doing what they want, all is well. They never realize that it
may be doing things they didn't want.
The OP had a postfix configuration that imposed no access/relay
restrictions and included a /24 in mynetworks that he did not own (I'm
assuming this). Postfix send and received mail. His web server handled
his forums. He thought all was well.
From my standpoint, the really scary part was that his ISP knew
something was wrong before he did. IIRC, his config showed no
readme_directory or html_directory. Glad to know folks are installing
servers without documentation. :-(
-- Robin Lynn Frank - Director of Operations - Paradigm-Omega, LLC http://www.paradigm-omega.com/ http://paradigm-omega.blogspot.com/ http://paradigm-alpha.blogspot.com/ ===================================================================== Reasons your mail was rejected: 499 email almost rejected permanently
|
|
|