many, MANY apologies up front if i have sent this to the wrong place!
I am inherently a software engineer who now gets to monitor a mail
server (don't ask). anyway i get an email message that alerts me from
a user that we have been hacked by a spammer and the mail message
header is:
------------- Forwarded message follows -------------
X-Auth-No:
Return-Path: <web1.prosoundweb.com!www>
Received: from web1.prosoundweb.com [64.73.50.193] by compudox.com
with Novonyx SMTP Server $Revision: 2.75.1.9 $; Wed, 10 Aug
2005
14:25:40 -0700 (PDT)
Received: from web1.prosoundweb.com (localhost.prosoundweb.com
[127.0.0.1])
by web1.prosoundweb.com (8.13.3/8.13.3) with ESMTP id
j7AJiZZF016410;
Wed, 10 Aug 2005 14:47:04 -0500 (CDT)
(envelope-from www@web1.prosoundweb.com)
Received: (from www@localhost)
by web1.prosoundweb.com (8.13.3/8.13.3/Submit) id
j7AINncm031958;
Wed, 10 Aug 2005 13:23:49 -0500 (CDT)
(envelope-from www)
To: webmaster@prosoundweb.com
Subject: All warez and porno in one place
Reply-to: webmaster@prosoundweb.com
From: webmaster@prosoundweb.com
Message-ID: <fe61f25929ecaf805cb30bb1beba7dc5@srforum.prosoundweb.com>
MIME-Version: 1.0
Content-type: text/plain; charset=iso-8859-1
Content-transfer-encoding: 8bit
Date: Wed, 10 Aug 2005 13:23:49 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: PHP
X-MimeOLE: Produced By phpBB2
X-AntiAbuse: Board servername - srforum.prosoundweb.com
X-AntiAbuse: User_id - 2
X-AntiAbuse: Username - admin
X-AntiAbuse: User IP - 62.105.6.113
it appears that someone has hacked the www password. at least i
think, and here is where the questions start....
am i correct in thinking that someone has hacked the www password and
has used the phpBB2 functionality (forum nightmare) to send spam mail
out?
what can i do about it other than have the www password changed? if i
change it will this action at least deter the spammer? what else will
this affect by changing the password?
can anyone shoot me a URL / example / explanation of how to button up
this hole?
THANK YOU, THANK YOU, THANK YOU in advance!
ken;
On Thu, Aug 11, 2005 at 09:32:22AM -0400, Ken Hawkins wrote:> we have been hacked by a spammer[snip]> X-AntiAbuse: Board servername - srforum.prosoundweb.comOuch. You appear to be running a phpBB installation from 2002 (version 2.0.6). That's asking for trouble. A lot of exploits have been found in phpBB since that time, see http://www.phpbb.com/support/documents.php?mode=changelog and http://www.vuxml.org/freebsd/pkg-phpbb.html There are lots of automated scripts running on already compromised machines that scan other machines for these vulnerabilities. Assuming that is how the spammer got in, there is no telling what he has done after that. You must assume that your machine has been fully compromised. The only way to know for sure that your machine is clean again is to build a new machine from scratch and transfer all your _non-executable_ data to it. You _might_ be able to get away with identifying any and all processes, removing suspicious data from /tmp, /var/tmp and any other OS place, changing passwords on _all_ accounts (but especially sensitive ones like root, your own and www). But you might not find the one backdoor that the spammer left and then you're back to square one again. It's your choice. To prevent this from happening, perform regular port updates and make sure to subscribe to the announcement list of highprofile publicly accessible software that you run. Good luck. --Stijn -- A "No" uttered from deepest conviction is better and greater than a "Yes" merely uttered to please, or what is worse, to avoid trouble. -- Mahatma Ghandi -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050811/af68f2f4/attachment.bin