Thanks for all the suggestions, everyone. The particular hack does not seem to use the mailserver, nor has it created any files in the /tmp directory. I have pored over the logs (mail and httpd) thoroughly, but I can't say they've really been a whole lot of help. I did try turning on suPHP, but that broke SquirrelMail also. There may be a configuration setting that can make that work; I'm still looking into it..
I did find one of my WordPress customers whose PHP settings allowed fopen and include - so I was able to lock that down. I also found several suspicious files in various user's directories, including some which appeared to execute strings of obfuscated code, and I removed all those. We don't appear to have had any new exploits in over 5 hours, but I am too nervous to relax about it yet! Thank you, Darren ECPI Western Broadband (512)257-1077 (254)213-6116 fax -----Original Message----- From: blueonyx-boun...@mail.blueonyx.it [mailto:blueonyx-boun...@mail.blueonyx.it] On Behalf Of blueonyx-requ...@mail.blueonyx.it Sent: Tuesday, April 17, 2012 2:07 PM To: blueonyx@mail.blueonyx.it Subject: Blueonyx Digest, Vol 40, Issue 33 Send Blueonyx mailing list submissions to blueonyx@mail.blueonyx.it To subscribe or unsubscribe via the World Wide Web, visit http://mail.blueonyx.it/mailman/listinfo/blueonyx or, via email, send a message with subject or body 'help' to blueonyx-requ...@mail.blueonyx.it You can reach the person managing the list at blueonyx-ow...@mail.blueonyx.it When replying, please edit your Subject line so it is more specific than "Re: Contents of Blueonyx digest..." Today's Topics: 1. [BlueOnyx:10150] Trojans and backdoors? (Darren Shea) 2. [BlueOnyx:10151] Re: Trojans and backdoors? (Matthew Komar) 3. [BlueOnyx:10152] PHPMyAdmin Export Limit (SB9-PageKeeper Service) 4. [BlueOnyx:10153] Re: Trojans and backdoors? (SB9-PageKeeper Service) 5. [BlueOnyx:10154] Re: Trojans and backdoors? (Chuck Tetlow) 6. [BlueOnyx:10155] Re: PHPMyAdmin Export Limit (bob richards) 7. [BlueOnyx:10156] Re: PHPMyAdmin Export Limit (SB9-PageKeeper Service) 8. [BlueOnyx:10157] Re: Trojans and backdoors? (Michael Stauber) ------------------------------ Message: 8 Date: Tue, 17 Apr 2012 21:07:09 +0200 From: Michael Stauber <mstau...@blueonyx.it> Subject: [BlueOnyx:10157] Re: Trojans and backdoors? To: BlueOnyx General Mailing List <blueonyx@mail.blueonyx.it> Message-ID: <201204172107.10011.mstau...@blueonyx.it> Content-Type: Text/Plain; charset="utf-8" Hi Darren, > Our BlueOnyx system seems to have been compromised by some sort of > php-based Trojan which is allowing spammers to send spam through the > webserver. We're having a hard time tracking it down to a particular > virtual site, and shutting off php for all users is not an option - > besides the people using WordPress and shopping carts, the SquirrelMail > interface breaks when php is shut off. Yeah, the logfiles are usually your best bet at finding this. Also check the /tmp directory, as a lot of PHP based exploits use a round about to trick a vulnerable PHP script into downloading some code from somewhere into /tmp/ and then during a second step try to execute that code. The date and time stamps of such suspicious files in /tmp may give an idea as of when the attack happened, making it easier to find the right window of action in the logfiles. Another option that helps at peventing and finding such exploits is to enable suPHP. This is for two reasons: suPHP adds another layer of security which can help to limit the effects of such exploits. But even if there is a blaring foul up in one of your PHP scripts that still allows undesired access, then the exploited scripts run as the user who owns the scripts. So the exploit files that the attackers managed to download to /tmp are owned by the siteAdmin or owner of the script in question, which already directly points you to the site in question. Additionally emails sent by those PHP scripts show the owner of the script in the header of the emails, which again makes finding the culprit a really easy task. If you want me to take a look, then please email me offlist with the details and I'll see what I can do. -- With best regards Michael Stauber ----- No virus found in this message. Checked by AVG - www.avg.com Version: 2012.0.1913 / Virus Database: 2411/4942 - Release Date: 04/17/12 _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx