You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Samuel Krieg <sk...@wng.ch> on 2007/07/05 12:02:42 UTC
Spoofed URI's or fake websites ?
Hi
I'm receiving some spam with links like
http://www.somewebsite.tld/image.htm ( filename may differ like
join.htm or shop.htm ). The uri redirects to another viagra website.
But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
Some examples :
http://www.apnalounge.com/shop.htm
http://www.tvoftheabsurd.com/join.htm
I need to understand how it works.. Is the hosting server beeing abused ? Any ideas/solutions ?
Thank you.
--
Samuel Krieg
Re: Spoofed URI's or fake websites ?
Posted by Matt Kettler <mk...@verizon.net>.
Samuel Krieg wrote:
> Jeff Chan a écrit :
>>
>>
>> The web sites are apparently cracked. The servers need to be cleaned
>> and
>> secured. If they are windows do an fdisk, format, etc.
>>
>> Jeff C.
>>
>
> Hi,
>
> Thanks for your answer. You confirm my thoughts.
>
> By the way I contacted ThePlanet sometimes ago for such websites. The
> redirection has been cleaned up and the websites are still online.
>
> PS: I'm not talking about my servers. They are healthy and running
> Linux :-)
Both of the cracked servers you mentioned are Apache/Unix based..
tvoftheabsurd: Apache/1.3.36 (Unix) PHP/4.4.2 mod_ssl/2.8.27 OpenSSL/0.9.7e
apnalounge: Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.7e PHP/4.4.2
FrontPage/5.0.2.2510
It doesn't matter what platform you run on, if you run exploitable code
on your server, it is exploitable. tvoftheabsurd is running an
exploitable version of wordpress (2.2), and apnalounge is probably
running some other exploitable PHP code.
Re: Spoofed URI's or fake websites ?
Posted by Jeff Chan <je...@surbl.org>.
Quoting Samuel Krieg <sa...@wng.ch>:
> I wrote this because of Jeff's phrase.
>
> > If they are windows do an fdisk, format, etc.
>
> I think it's important to work on the OS that you know how to configure,
> secure and manage. Whatever system it is. I did not want to praise any
> system.
>
> I remain paranoid and monitor system logs, smtp queries and network
> activities as good as I can.
Windows machines are notoriously difficult to fully clean. That's why many
people end up reformatting the hard disk on them.
As Matt pointed out, at least two of the compromised machines are Linux, so it's
certainly good to have strict security policies, keep programs fully patched,
etc., regardless of what OS one runs.
Jeff C.
Re: Spoofed URI's or fake websites ?
Posted by Samuel Krieg <sa...@wng.ch>.
I wrote this because of Jeff's phrase.
> If they are windows do an fdisk, format, etc.
I think it's important to work on the OS that you know how to configure, secure and manage. Whatever system it is. I did not want to praise any system.
I remain paranoid and monitor system logs, smtp queries and network activities as good as I can.
Regards.
--
Sam
Re: Spoofed URI's or fake websites ?
Posted by Phil Barnett <ph...@philb.us>.
On Thursday 05 July 2007 06:47, Samuel Krieg wrote:
> Thanks for your answer. You confirm my thoughts.
>
> By the way I contacted ThePlanet sometimes ago for such websites. The
> redirection has been cleaned up and the websites are still online.
>
> PS: I'm not talking about my servers. They are healthy and running Linux
> :-)
Don't think that this can't happen to a Linux based server.
I've had both Coppermine and Geeklog compromised in the last month with phish
sites. Fortunately, it was simple to see and secure the path on the
Coppermine, which was letting new users have picture posting rights, but I
never did figure out how they got in on Geeklog, so it's now banned from my
server.
--
Phil Barnett
AI4OF
SKCC #600
Re: Spoofed URI's or fake websites ?
Posted by Samuel Krieg <sk...@wng.ch>.
Jeff Chan a écrit :
> Quoting Samuel Krieg <sk...@wng.ch>:
>
>> Hi
>>
>> I'm receiving some spam with links like
>> http://www.somewebsite.tld/image.htm ( filename may differ like
>> join.htm or shop.htm ). The uri redirects to another viagra website.
>>
>> But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
>>
>> Some examples :
>> http://www.apnalounge.com/shop.htm
>>
>> http://www.tvoftheabsurd.com/join.htm
>>
>> I need to understand how it works.. Is the hosting server beeing abused ? Any
>> ideas/solutions ?
>
>
> The web sites are apparently cracked. The servers need to be cleaned and
> secured. If they are windows do an fdisk, format, etc.
>
> Jeff C.
>
Hi,
Thanks for your answer. You confirm my thoughts.
By the way I contacted ThePlanet sometimes ago for such websites. The redirection has been cleaned
up and the websites are still online.
PS: I'm not talking about my servers. They are healthy and running Linux :-)
--
Samuel Krieg
Re: Spoofed URI's or fake websites ?
Posted by Jeff Chan <je...@surbl.org>.
Quoting Samuel Krieg <sk...@wng.ch>:
> Hi
>
> I'm receiving some spam with links like
> http://www.somewebsite.tld/image.htm ( filename may differ like
> join.htm or shop.htm ). The uri redirects to another viagra website.
>
> But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
>
> Some examples :
> http://www.apnalounge.com/shop.htm
>
> http://www.tvoftheabsurd.com/join.htm
>
> I need to understand how it works.. Is the hosting server beeing abused ? Any
> ideas/solutions ?
The web sites are apparently cracked. The servers need to be cleaned and
secured. If they are windows do an fdisk, format, etc.
Jeff C.
Re: Spoofed URI's or fake websites ?
Posted by Matt Kettler <mk...@verizon.net>.
Samuel Krieg wrote:
> Hi
>
> I'm receiving some spam with links like
> http://www.somewebsite.tld/image.htm ( filename may differ like
> join.htm or shop.htm ). The uri redirects to another viagra website.
>
> But the somewebsite.tld looks like a normal site (I'm pretty sure it is).
>
> Some examples :
> http://www.apnalounge.com/shop.htm
>
> http://www.tvoftheabsurd.com/join.htm
>
> I need to understand how it works.. Is the hosting server beeing
> abused ? Any ideas/solutions ?
Odds are good they are being abused. Looking at tvoftheabsurd's main page they've got a PHP wordpress 2.2 login page. Wordpress has been known to have exploits in the past.
Ahh, yes. here's one for WP 2.2:
http://www.securityfocus.com/bid/24344
Oh, and another that allows arbitrary file upload:
http://www.securityfocus.com/bid/24642
That latter one is probably how the redirect page got uploaded.
apnalounge.com also makes extensive use of PHP and seems to have a lot of "cobbled together" code. Nothing jumps out at me, but I'd again not be surprised to find out some part is exploitable.
>
> Thank you.
>