pardon the cross-posting. --- joshua grubman http://false.net http://sarcastic.net "note to self... noone cares" ---------- Forwarded message ---------- Date: Fri, 30 Apr 1999 10:18:47 -0400 (EDT) From: Network Operations <netops@DN.NET> To: spam-l@peach.ease.lsoft.com Cc: abuse@DN.NET, jg@false.net Subject: A new means of exploiting systems to relay UBE Hi folks, I've honestly been too busy to read the current threads in any detail, so if I'm addressing an issue which has already been discussed, please ignore me. Lately we've come across an increasing number of reseller web machines where users have uploaded a set of cgi's with intent to exploit said machine as a spam engine. Since the scripts invoke sendmail locally, they are capiable of delivering mail at an alarming rate. I will post these scripts to the end of this message. This is particularly disturbing, as all of these servers have been configured with anti-relay rulesets, and many of our customers are not savvy enough to realize that this is NOT relay spam or to track down the users who own the cgi's and terminate their accounts. This creates a HUGE problem for firms who offer colocation, hosting, or managed servers to web resellers. Since these scripts don't require telnet access, any bozo with a cgi-bin directory and an ftp account can turn a legitimate customer into a spamhaus. The resources required for a provider to log into a customer system (assuming they even have root!), disable an account, and educate thousands of web resellers as to why their ISP is making changes to their system make this issue even harder to address. In the last few days we've come across three systems, each hosting a few hundred web users, where this software has been installed. On one of the systems, multiple instanstances of the software had been uploaded under various accounts. I am attatching a tarred and gzipped copy of a cgi-bin directory containing this software. This was pulled directly from a reseller server. The subscriber lists have been cleared out, and modifications have been made to the code to make it unusable. If you have a good working knowledge of perl, you should pick through it. Be very afraid. If anybody has any ideas as to how this can be stopped, please share them. Thanks -josh Josh Grubman <joshg@dn.net> Senior Systems Engineer Manager, Abuse Coordination --- Security & Abuse Coordination Team digitalNATION Internet Services http://www.dn.net / (703) 642 2800 DO NOT use this address for reporting problems! uce & network abuse: abuse@dn.net connectivity issues: noc@dn.net