[OpenAFS] Is anyone else seeing this:

Alex Rolfe arolfe@mit.edu
Sat, 01 Mar 2008 18:28:13 -0500

We've seen a dozen or so instances of this over the past two months.
The original problem was traced to a compromised host at CERN, but there
have been recurrences since then.  

I don't think it's an email attack; we've found .tar.gz files with the
offending webpages that were left behind.  They were also clearly done
by someone who understood the username -> URL mapping on three different
MIT webservers (web.mit.edu and stuff.mit.edu/www.mit.edu use different
file to URL mapping schemes).


Steve Devine <sd@msu.edu> writes:

> I believe this is the work of a bot that arrives initially to the the
> user via a spam email.
> The bot then trolls through afs space (so the user is likely running
> windows with the client running) locates a user volume where the user
> has (foolishly) set system:anyuser to all acls and from there the bot
> can install anything it wants in the users web space and then send out
> spamage refering to this web space.
> Or this could be a compromised  web server with an afs client running on
> it.
> For now we are just trolling through our cell and looking for user dirs
> where system:anyuser = all and then taking appropriate action as needed.
> I hope to get my hands on a email that refers to this space so maybe I
> can track it back.
> Any thoughts?
> /sd
> -- 
> Steve Devine
> Email & Storage
> Academic Computing & Network Services
> Michigan State University
> 313 Computer Center
> East Lansing, MI 48824-1042
> 1-517-432-7327
> Baseball is ninety percent mental; the other half is physical.
> - Yogi Berra 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info