[OpenAFS] Is anyone else seeing this:

John Hascall john@iastate.edu
Sat, 01 Mar 2008 11:28:11 CST


We had a case recently of a poorly-written user's cgi-bin
program (in perl, of course) which could be tricked into
dropping files.  Curiously, it used dirs with
system:anyuser write access in another school's cell
for its spammy files (and just that one school's,
as far as I know).

This was really pretty odd -- it seemed to indicate
a knowledge of AFS that I wouldn't expect the usual
weenie-pill-spammer to have.

We have since pulled all other cells out of our
user cgi-bin machine's CellServDB file.


John


> All
> We are seeing a influx of spam laded web dirs in our afs cell.
> These are dirs that our main web server serve out of our cell for the
> students mostly.
> Here is a sample:
> http://www.msu.edu/~elizald2/viagra/order-viagra-overnight-delivery.html
> I have disabled it but you get the idea,. This dir is chock-o-block full
> of crap.
> 
> I believe this is the work of a bot that arrives initially to the the
> user via a spam email.
> The bot then trolls through afs space (so the user is likely running
> windows with the client running) locates a user volume where the user
> has (foolishly) set system:anyuser to all acls and from there the bot
> can install anything it wants in the users web space and then send out
> spamage refering to this web space.
> 
> Or this could be a compromised  web server with an afs client running on
> it.
> 
> For now we are just trolling through our cell and looking for user dirs
> where system:anyuser = all and then taking appropriate action as needed.
> 
> I hope to get my hands on a email that refers to this space so maybe I
> can track it back.
> 
> Any thoughts?
> /sd
> 
> -- 
> Steve Devine
> Email & Storage
> Academic Computing & Network Services
> Michigan State University
> 
> 313 Computer Center
> East Lansing, MI 48824-1042
> 1-517-432-7327
> 
> Baseball is ninety percent mental; the other half is physical.
> - Yogi Berra 
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>