Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#11925 closed Bug/Something is broken (fixed)

spam mail being sent from chelsea

Reported by: Jamie McClelland Owned by: Jamie McClelland
Priority: Medium Component: Tech
Keywords: chelsea.mayfirst.org Cc:
Sensitive: no

Description

Got complaint email and examined message from mailq

Change History (5)

comment:1 Changed 3 years ago by Jamie McClelland

I've put the details in chelsea:/root/tickets/11925

In short: I used postcat to examine one of the messages still active in the mailq to confirm it was spam.

Then I grepped for the message id in the mail.log to determine that it was being injected via tcp (which means you can't tell which user is doing it).

So then I ran lsof -i -n to see if there were any suspicious processes running and there were a gazillion of them sending to port smtp on remote servers owned by the user tempdeleuser.

I've disabled the entire hosting order and am notifying the member.

comment:2 Changed 3 years ago by Jamie McClelland

Owner: set to Jamie McClelland
Status: newassigned

comment:3 Changed 3 years ago by Jamie McClelland

Resolution: fixed
Status: assignedclosed

comment:4 Changed 3 years ago by Jamie McClelland

Also, I examined the parent processor id (via cat /proc/PID/environ and noticed:

PWD=/home/members/xxxxxxx/web/.git/objects/7d

So, it looks like the exploit is hidden in a git directory.

comment:5 Changed 3 years ago by Ross

Wow...nice detective work Jamie! I've again removed everything from the site and replaced all the files with newly downloaded versions. All passwords have been changed, and everything in .ssh/authorized_keys removed. The git repo has also been cleaned.

This should last for at least a month or two, assuming the same hackers again find a way into the site. :-(

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.