[OpenAFS] Is anyone else seeing this:

Steve Devine sd@msu.edu
Sat, 01 Mar 2008 11:25:16 -0500


All
We are seeing a influx of spam laded web dirs in our afs cell.
These are dirs that our main web server serve out of our cell for the
students mostly.
Here is a sample:
http://www.msu.edu/~elizald2/viagra/order-viagra-overnight-delivery.html
I have disabled it but you get the idea,. This dir is chock-o-block full
of crap.

I believe this is the work of a bot that arrives initially to the the
user via a spam email.
The bot then trolls through afs space (so the user is likely running
windows with the client running) locates a user volume where the user
has (foolishly) set system:anyuser to all acls and from there the bot
can install anything it wants in the users web space and then send out
spamage refering to this web space.

Or this could be a compromised  web server with an afs client running on
it.

For now we are just trolling through our cell and looking for user dirs
where system:anyuser = all and then taking appropriate action as needed.

I hope to get my hands on a email that refers to this space so maybe I
can track it back.

Any thoughts?
/sd

-- 
Steve Devine
Email & Storage
Academic Computing & Network Services
Michigan State University

313 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327

Baseball is ninety percent mental; the other half is physical.
- Yogi Berra