[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: we were attacked

On Sat, Apr 08, 2006 at 04:33:08PM +0300, Juha-Matti Tapio wrote:
> On Sat, Apr 08, 2006 at 03:21:05PM +0200, Marek Podmaka wrote:
> > So what it is? People (no, they aren't hackers :) try to use your resources
> > for their "actions". These scripts are mainly irc bots waiting for commands
> > and can perform actions like googling for other vulnerable servers, doing
> > udpflood and so on. So part of the solution is to block port 6667 in
> > firewall :) 
> I think in most situations it is best to block all outgoing connections and
> open those that are necessary. This will make most attacks very difficult.
> > Solutions (please contribute if you have any ideas):
> > 1) /tmp noexec, better also /var/tmp (not useful if evil executes "perl
> > /tmp/.evilscript")
> Also /dev/shm.
> > 4) use wrapper for emails - I have one which includes special headers to
> > mails sent from php, I'm going to modify it to support limits on no. of
> > mails sent in timeframe
> I hope you share this.

Here's an example of such a wrapper:



import sys
from popen2 import popen2

data = ""
l = sys.stdin.readline()
header = 1
while l:
  if l == "\n" and header == 1:
    data += "X-Complaints-To: abuse@YOURDOMAINHERE\n"
    data += "X-Abuse-Info: Please be sure to forward a copy of ALL headers\n"
    data += "X-Abuse-Info: Otherwise we will be unable to process your complaint\n"
    data += "X-Domain: %s\n\n" % sys.argv[1]
    header = 0
    data += l
  l = sys.stdin.readline()

# Just make all e-mail come from webmaster@ the domain. That address _should_
# always be defined.
(out, s) = popen2('/usr/sbin/sendmail -t -i -f webmaster@' + sys.argv[1])


Just make sure it is called instead of the standard sendmail script by adding
a line like 

  php_admin_value sendmail_path "/usr/local/bin/sendmail-secure CLIENTDOMAIN"

to your apache configuration.

Hope this helps,

Pong.be         -(       Writing software is more fun than working.        )-
Virtual hosting -(                                                         )-
http://pong.be  -(                                                         )-
GnuPG public key: http://gpg.dtype.org

Reply to: