Re: we were attacked

To: Juha-Matti Tapio <jmtapio@verkkotelakka.net>
Cc: debian-isp@lists.debian.org
Subject: Re: we were attacked
From: Ward Vandewege <ward@pong.be>
Date: Sat, 8 Apr 2006 09:50:58 -0400
Message-id: <[🔎] 20060408135058.GB31962@io.pong.be>
In-reply-to: <[🔎] 20060408133308.GQ606@verkkotelakka.net>
References: <[🔎] 44367C04.6030609@tau.org.ar> <[🔎] 002101c65b0f$4d43e4d0$6501a8c0@emea.hpqcorp.net> <[🔎] 20060408133308.GQ606@verkkotelakka.net>

On Sat, Apr 08, 2006 at 04:33:08PM +0300, Juha-Matti Tapio wrote:
> On Sat, Apr 08, 2006 at 03:21:05PM +0200, Marek Podmaka wrote:
> > So what it is? People (no, they aren't hackers :) try to use your resources
> > for their "actions". These scripts are mainly irc bots waiting for commands
> > and can perform actions like googling for other vulnerable servers, doing
> > udpflood and so on. So part of the solution is to block port 6667 in
> > firewall :) 
> 
> I think in most situations it is best to block all outgoing connections and
> open those that are necessary. This will make most attacks very difficult.
> 
> > Solutions (please contribute if you have any ideas):
> > 1) /tmp noexec, better also /var/tmp (not useful if evil executes "perl
> > /tmp/.evilscript")
> 
> Also /dev/shm.
> 
> > 4) use wrapper for emails - I have one which includes special headers to
> > mails sent from php, I'm going to modify it to support limits on no. of
> > mails sent in timeframe
> 
> I hope you share this.

Here's an example of such a wrapper:

-----------------------------------------------------------

#!/usr/bin/python

import sys
from popen2 import popen2

data = ""
l = sys.stdin.readline()
header = 1
while l:
  if l == "\n" and header == 1:
    data += "X-Complaints-To: abuse@YOURDOMAINHERE\n"
    data += "X-Abuse-Info: Please be sure to forward a copy of ALL headers\n"
    data += "X-Abuse-Info: Otherwise we will be unable to process your complaint\n"
    data += "X-Domain: %s\n\n" % sys.argv[1]
    header = 0
  else:
    data += l
  l = sys.stdin.readline()

# Just make all e-mail come from webmaster@ the domain. That address _should_
# always be defined.
(out, s) = popen2('/usr/sbin/sendmail -t -i -f webmaster@' + sys.argv[1])
s.write(data)
s.close()

----------------------------------------------------------

Just make sure it is called instead of the standard sendmail script by adding
a line like 

  php_admin_value sendmail_path "/usr/local/bin/sendmail-secure CLIENTDOMAIN"

to your apache configuration.

Hope this helps,
Ward.

-- 
Pong.be         -(       Writing software is more fun than working.        )-
Virtual hosting -(                                                         )-
http://pong.be  -(                                                         )-
GnuPG public key: http://gpg.dtype.org

Reply to:

Follow-Ups:
- Re: we were attacked
  - From: Craig Sanders <cas@taz.net.au>

References:
- we were attacked
  - From: danilo lujambio <danilo@tau.org.ar>
- RE: we were attacked
  - From: "Marek Podmaka" <marki@onee.sk>
- Re: we were attacked
  - From: Juha-Matti Tapio <jmtapio@verkkotelakka.net>

Prev by Date: Re: we were attacked
Next by Date: Re: we were attacked
Previous by thread: Re: we were attacked
Next by thread: Re: we were attacked
Index(es):
- Date
- Thread