[OpenAFS] Is anyone else seeing this:
Sat, 01 Mar 2008 18:28:13 -0500
We've seen a dozen or so instances of this over the past two months.
The original problem was traced to a compromised host at CERN, but there
have been recurrences since then.
I don't think it's an email attack; we've found .tar.gz files with the
offending webpages that were left behind. They were also clearly done
by someone who understood the username -> URL mapping on three different
MIT webservers (web.mit.edu and stuff.mit.edu/www.mit.edu use different
file to URL mapping schemes).
Steve Devine <email@example.com> writes:
> I believe this is the work of a bot that arrives initially to the the
> user via a spam email.
> The bot then trolls through afs space (so the user is likely running
> windows with the client running) locates a user volume where the user
> has (foolishly) set system:anyuser to all acls and from there the bot
> can install anything it wants in the users web space and then send out
> spamage refering to this web space.
> Or this could be a compromised web server with an afs client running on
> For now we are just trolling through our cell and looking for user dirs
> where system:anyuser = all and then taking appropriate action as needed.
> I hope to get my hands on a email that refers to this space so maybe I
> can track it back.
> Any thoughts?
> Steve Devine
> Email & Storage
> Academic Computing & Network Services
> Michigan State University
> 313 Computer Center
> East Lansing, MI 48824-1042
> Baseball is ninety percent mental; the other half is physical.
> - Yogi Berra
> OpenAFS-info mailing list