[OpenAFS] Is anyone else seeing this:

Steve Devine sd@msu.edu
Sat, 01 Mar 2008 12:00:07 -0500


Jeffrey Altman wrote:
> Steve Devine wrote:
>> All
>> We are seeing a influx of spam laded web dirs in our afs cell.
>> These are dirs that our main web server serve out of our cell for the
>> students mostly.
>> Here is a sample:
>> http://www.msu.edu/~elizald2/viagra/order-viagra-overnight-delivery.html
>> I have disabled it but you get the idea,. This dir is chock-o-block full
>> of crap.
>>
>> I believe this is the work of a bot that arrives initially to the the
>> user via a spam email.
>> The bot then trolls through afs space (so the user is likely running
>> windows with the client running) locates a user volume where the user
>> has (foolishly) set system:anyuser to all acls and from there the bot
>> can install anything it wants in the users web space and then send out
>> spamage refering to this web space.
>>
>> Or this could be a compromised  web server with an afs client running on
>> it.
>>
>> For now we are just trolling through our cell and looking for user dirs
>> where system:anyuser = all and then taking appropriate action as needed.
>>
>> I hope to get my hands on a email that refers to this space so maybe I
>> can track it back.
>>
>> Any thoughts?
>> /sd
>
> If you are interested in knowing where the files are coming from turn
> on audit logs on the file servers.  That will erase all doubts.
Ok does this require a fileserver restart? I also worry about the size
of the logs.
>
> But lets make something absolutely clear.  If you have volumes that
> permit system:anyuser to write to it, there does not have to be any
> spam involved.  Any machine with any AFS client anywhere in the world
> can write to the volume.  There is no need to send spam.
>
> Jeffrey Altman
>


-- 
Steve Devine
Email & Storage
Academic Computing & Network Services
Michigan State University

313 Computer Center
East Lansing, MI 48824-1042
1-517-432-7327

Baseball is ninety percent mental; the other half is physical.
- Yogi Berra