Re: we were attacked
On Sat, Apr 08, 2006 at 04:33:08PM +0300, Juha-Matti Tapio wrote:
> On Sat, Apr 08, 2006 at 03:21:05PM +0200, Marek Podmaka wrote:
> > So what it is? People (no, they aren't hackers :) try to use your resources
> > for their "actions". These scripts are mainly irc bots waiting for commands
> > and can perform actions like googling for other vulnerable servers, doing
> > udpflood and so on. So part of the solution is to block port 6667 in
> > firewall :)
>
> I think in most situations it is best to block all outgoing connections and
> open those that are necessary. This will make most attacks very difficult.
>
> > Solutions (please contribute if you have any ideas):
> > 1) /tmp noexec, better also /var/tmp (not useful if evil executes "perl
> > /tmp/.evilscript")
>
> Also /dev/shm.
>
> > 4) use wrapper for emails - I have one which includes special headers to
> > mails sent from php, I'm going to modify it to support limits on no. of
> > mails sent in timeframe
>
> I hope you share this.
Here's an example of such a wrapper:
-----------------------------------------------------------
#!/usr/bin/python
import sys
from popen2 import popen2
data = ""
l = sys.stdin.readline()
header = 1
while l:
if l == "\n" and header == 1:
data += "X-Complaints-To: abuse@YOURDOMAINHERE\n"
data += "X-Abuse-Info: Please be sure to forward a copy of ALL headers\n"
data += "X-Abuse-Info: Otherwise we will be unable to process your complaint\n"
data += "X-Domain: %s\n\n" % sys.argv[1]
header = 0
else:
data += l
l = sys.stdin.readline()
# Just make all e-mail come from webmaster@ the domain. That address _should_
# always be defined.
(out, s) = popen2('/usr/sbin/sendmail -t -i -f webmaster@' + sys.argv[1])
s.write(data)
s.close()
----------------------------------------------------------
Just make sure it is called instead of the standard sendmail script by adding
a line like
php_admin_value sendmail_path "/usr/local/bin/sendmail-secure CLIENTDOMAIN"
to your apache configuration.
Hope this helps,
Ward.
--
Pong.be -( Writing software is more fun than working. )-
Virtual hosting -( )-
http://pong.be -( )-
GnuPG public key: http://gpg.dtype.org
Reply to: