Well, the black plague has begun to lift, and hopefully I’ll be able to blog a bit more. That being said, I just have to say I hate spammers.
Some of you may thing that you know of the pain I talk of, but I say nay nay. I have to deal with spammers as the system administrator of Mission.net (a place for Return Missioniaries to look for companions, etc). Not only do I have to fight the comment spam, the spam that I get in the e-mail, but I have to protect this host from being used to relay spam. Somehow the spammers seem to feel that their message is so important, that it has to get to you somehow.
I was in the midst of rolling around on my couch, feeling sorry for myself, and making moaning noises (unfortunatly, no one was around to be sympathetic, so those noises went to waste).
Anyways, after the second trip to the doctors, I needed to check something on mission.net and found the following on the server
total 2948
drwxr-xr-x 4 root root 4096 Dec 17 13:24 .
drwxr-x--- 19 root root 4096 Dec 18 15:47 ..
-rwxr--r-- 1 apache apache 33927 Dec 14 16:54 a
-rw-r--r-- 1 apache apache 33927 Dec 14 16:54 a.1
-rw-r--r-- 1 apache apache 33927 Dec 16 06:54 a.2
-rw-r--r-- 1 apache apache 33927 Dec 16 06:54 a.3
drwxr-xr-x 6 apache apache 4096 Dec 16 12:26 .access.log
-rw------- 1 root apache 53 Dec 4 22:58 apache
-rwxr-xr-x 1 apache apache 4172 Dec 3 09:58 cback
-rw-r--r-- 1 apache apache 4172 Dec 3 09:58 cback.1
-rw------- 1 apache apache 8405 Dec 6 14:23 impattI1aPTY
-rwxr-xr-x 1 apache apache 100 Dec 15 22:34 listen
-rw-r--r-- 1 apache apache 100 Dec 15 22:34 listen.1
-rw-r--r-- 1 apache apache 109 Dec 16 05:29 listen.2
-rw-r--r-- 1 apache apache 109 Dec 16 05:29 listen.3
-rw-r--r-- 1 apache apache 1406 Dec 16 09:16 listen.log
-rwxr--r-- 1 apache apache 462172 Dec 15 23:41 pin
-rw-r--r-- 1 apache apache 462172 Dec 15 23:41 pin.1
-rw-r--r-- 1 apache apache 462172 Dec 16 00:42 pin.2
-rw-r--r-- 1 apache apache 462172 Dec 16 00:42 pin.3
-rwxr--r-- 1 apache apache 462396 Dec 16 02:50 pini
-rw-r--r-- 1 apache apache 462396 Dec 16 02:50 pini.1
drwxr-xr-x 3 apache apache 4096 Nov 29 12:33 .test
For the few of you who aren’t hard core computer geeks, this means someone found an exploit with the webserver, and have been writing files, and getting them to do things.
As I explore more, I head over to .access.log (this is a trick that crackers like to use, it makes the file invisable, unless you are looking for it). In this directory I find
httpd livezone log proc run y2kupdate
lang livezone.old motd psybnc.pid scripts
So these yo-yos are spamming-crackers. They get onto a machine, then use the machine to relay mail spam. Most of the time, these hosts are sold to spamming companies as relays.
Fri Dec 16 15:27:01 :Listener created :0.0.0.0 port 8520
Fri Dec 16 15:27:01 :psyBNC2.3.1-cBtITLdDMSNp started (PID :11515)
Fri Dec 16 15:27:01 :Loading all Users..
Fri Dec 16 15:27:01 :Bogus scripting Line in scripts/DEFAULT.SCRIPT Line 50: puthel"; echo PART "$P5"
Fri Dec 16 15:27:01 :Bogus scripting Line in scripts/DEFAULT.SCRIPT Line 53: puthel"; echo PART "$P5"
Fri Dec 16 15:27:01 :Bogus scripting Line in scripts/DEFAULT.SCRIPT Line 50: puthel"; echo PART "$P5"
Fri Dec 16 15:27:01 :Bogus scripting Line in scripts/DEFAULT.SCRIPT Line 53: puthel"; echo PART "$P5"
Fri Dec 16 15:27:06 :User ovidiu () trying helsinki.fi.eu.undernet.org port 6667 (www.mission.net).
Fri Dec 16 15:27:07 :User ovidiu () connected to helsinki.fi.eu.undernet.org:6667 (www.mission.net)
Fri Dec 16 15:27:07 :User ovidiu () got disconnected (from helsinki.fi.eu.undernet.org) Reason: Your host is trying to (re)connect too fast -- throttled
Fri Dec 16 15:27:21 :User senz () trying diemen.nl.eu.undernet.org port 6667 (www.mission.net).
Fri Dec 16 15:27:21 :User senz () connected to diemen.nl.eu.undernet.org:6667 (www.mission.net)
Fri Dec 16 15:27:21 :User senz () got disconnected (from diemen.nl.eu.undernet.org) Reason: Your host is trying to (re)connect too fast -- throttled
Fri Dec 16 15:27:36 :User ovidiu () trying diemen.nl.eu.undernet.org port 6667 (www.mission.net).
Fri Dec 16 15:27:36 :User ovidiu () connected to diemen.nl.eu.undernet.org:6667
(www.mission.net)
Fri Dec 16 15:27:36 :User ovidiu () got disconnected (from diemen.nl.eu.undernet.org) Reason: Your host is trying to (re)connect too fast -- throttled
Fri Dec 16 15:27:51 :User senz () trying lelystad.nl.eu.undernet.org port 6667 (www.mission.net).
You then see this program jumping onto IRC (Internet Relay Chat) where a user can start using this machine to relay spam. It also launches it’s own webserver and many other fun things, that, well, just make me angry.
After archiving all this data, I fixed the exploit they used, removed the cron (a scheduler) and killed all other proccesses being used by the webserver, I restarted the host, confirmed everything was working correctly and I’ve been watching it ever since then.
Right now, the host is getting *lots* of traffic from the remote users trying to use http to control the spamming software, but since it’s no longer around, they can no longer use it. So they are just eating up network sockets waiting.
0 0 mail.mission.net:http ip177-131.netcathost.:34522 TIME_WAIT -
tcp 0 0 mail.mission.net:http ip177-131.netcathost.:34521 TIME_WAIT -
tcp 0 0 mail.mission.net:http ip177-131.netcathost.:34520 TIME_WAIT -
tcp 0 0 www.mission.net:http cache02.nyc.untd.com:62834 TIME_WAIT -
warning, got duplicate tcp line.
tcp 0 0 mail.mission.net:http ip177-131.netcathost.:34515 TIME_WAIT -
tcp 0 0 mail.mission.net:http ip177-131.netcathost.:34514 TIME_WAIT -
tcp 0 0 mail.mission.net:http ip177-131.netcathost.:34513 TIME_WAIT -
tcp 0 0 mail.mission.net:http ip177-131.netcathost.:34512 TIME_WAIT -
tcp 0 0 www.mission.net:http egspd42114.ask.com:40794 TIME_WAIT -
You know, I have better things to do while sick than combatting spamming l0s3rs.
Popularity: 35% [?]
