We've seen a dozen or so instances of this over the past two months. The original problem was traced to a compromised host at CERN, but there have been recurrences since then.
I don't think it's an email attack; we've found .tar.gz files with the offending webpages that were left behind. They were also clearly done by someone who understood the username -> URL mapping on three different MIT webservers (web.mit.edu and stuff.mit.edu/www.mit.edu use different file to URL mapping schemes). Alex Steve Devine <[EMAIL PROTECTED]> writes: > I believe this is the work of a bot that arrives initially to the the > user via a spam email. > The bot then trolls through afs space (so the user is likely running > windows with the client running) locates a user volume where the user > has (foolishly) set system:anyuser to all acls and from there the bot > can install anything it wants in the users web space and then send out > spamage refering to this web space. > > Or this could be a compromised web server with an afs client running on > it. > > For now we are just trolling through our cell and looking for user dirs > where system:anyuser = all and then taking appropriate action as needed. > > I hope to get my hands on a email that refers to this space so maybe I > can track it back. > > Any thoughts? > /sd > > -- > Steve Devine > Email & Storage > Academic Computing & Network Services > Michigan State University > > 313 Computer Center > East Lansing, MI 48824-1042 > 1-517-432-7327 > > Baseball is ninety percent mental; the other half is physical. > - Yogi Berra > > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info