[OpenAFS] Is anyone else seeing this:
Sat, 01 Mar 2008 11:28:11 CST
We had a case recently of a poorly-written user's cgi-bin
program (in perl, of course) which could be tricked into
dropping files. Curiously, it used dirs with
system:anyuser write access in another school's cell
for its spammy files (and just that one school's,
as far as I know).
This was really pretty odd -- it seemed to indicate
a knowledge of AFS that I wouldn't expect the usual
weenie-pill-spammer to have.
We have since pulled all other cells out of our
user cgi-bin machine's CellServDB file.
> We are seeing a influx of spam laded web dirs in our afs cell.
> These are dirs that our main web server serve out of our cell for the
> students mostly.
> Here is a sample:
> I have disabled it but you get the idea,. This dir is chock-o-block full
> of crap.
> I believe this is the work of a bot that arrives initially to the the
> user via a spam email.
> The bot then trolls through afs space (so the user is likely running
> windows with the client running) locates a user volume where the user
> has (foolishly) set system:anyuser to all acls and from there the bot
> can install anything it wants in the users web space and then send out
> spamage refering to this web space.
> Or this could be a compromised web server with an afs client running on
> For now we are just trolling through our cell and looking for user dirs
> where system:anyuser = all and then taking appropriate action as needed.
> I hope to get my hands on a email that refers to this space so maybe I
> can track it back.
> Any thoughts?
> Steve Devine
> Email & Storage
> Academic Computing & Network Services
> Michigan State University
> 313 Computer Center
> East Lansing, MI 48824-1042
> Baseball is ninety percent mental; the other half is physical.
> - Yogi Berra
> OpenAFS-info mailing list