This weekend I came across a rather new method to send spam e-mails, at least new to me so far.
A shared hosting ftp account was abused (password probably gotten through a trojan) to send spam e-mails. That wouldn't be something surprising new, but the timely manner in which the script was uploaded and executed, is definitely worth mentioning it.
In the FTP logs I found the following entries:
Sat Sep 01 01:12:49 2012 0 126.96.36.199 408 /var/www/someweb/html/chk_mailto.php a _ i r someweb ftp 0 * c
Sat Sep 01 01:12:49 2012 0 188.8.131.52 408 /var/www/someweb/html/chk_mailto.php a _ d r someweb ftp 0 * c
Note that the file chk_mailto.php was uploaded AND deleted within the same second!
But before the file was deleted, it was executed by browser:
184.108.40.206 - - [01/Sep/2012:01:12:49 +0200] "GET /chk_mailto.php HTTP/1.1" 200 2 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
Due to the very short living time of the script, it is nearly impossible to find it. Additionally only a few spams are sent out (or are sent through open relay servers) which makes it difficult to trace it in the mail logs as well.
Update September 4th 2012:
Each time such an uploaded file was executed in browser, a new process called 'perl' was started on the server which created smtp connections to foreign webservers and continued to run in the background.
No comments yet.
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu