Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Spam-Attacks (possibly Dark Mailer) through abused FTP account within 1s
Monday - Sep 3rd 2012 - by - (0 comments)

This weekend I came across a rather new method to send spam e-mails, at least new to me so far. 

A shared hosting ftp account was abused (password probably gotten through a trojan) to send spam e-mails. That wouldn't be something surprising new, but the timely manner in which the script was uploaded and executed, is definitely worth mentioning it.

In the FTP logs I found the following entries:

Sat Sep 01 01:12:49 2012 0 195.7.104.233 408 /var/www/someweb/html/chk_mailto.php a _ i r someweb ftp 0 * c
Sat Sep 01 01:12:49 2012 0 195.7.104.233 408 /var/www/someweb/html/chk_mailto.php a _ d r someweb ftp 0 * c

Note that the file chk_mailto.php was uploaded AND deleted within the same second!

But before the file was deleted, it was executed by browser:

195.7.104.233 - - [01/Sep/2012:01:12:49 +0200] "GET /chk_mailto.php HTTP/1.1" 200 2 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"

Due to the very short living time of the script, it is nearly impossible to find it. Additionally only a few spams are sent out (or are sent through open relay servers) which makes it difficult to trace it in the mail logs as well.

Update September 4th 2012:
Each time such an uploaded file was executed in browser, a new process called 'perl' was started on the server which created smtp connections to foreign webservers and continued to run in the background.

 

Add a comment

Show form to leave a comment

Comments (newest first):

No comments yet.

Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7367 Days
until Death of Computers
Why?