A new means of exploiting systems to relay UBE (fwd)

joshua grubman jg at false.net
Fri Apr 30 14:19:47 UTC 1999

pardon the cross-posting.

joshua grubman
"note to self...  noone cares"

---------- Forwarded message ----------
Date: Fri, 30 Apr 1999 10:18:47 -0400 (EDT)
From: Network Operations <netops at DN.NET>
To: spam-l at peach.ease.lsoft.com
Cc: abuse at DN.NET, jg at false.net
Subject: A new means of exploiting systems to relay UBE

Hi folks,

I've honestly been too busy to read the current threads in any detail, so if
I'm addressing an issue which has already been discussed, please ignore me.

Lately we've come across an increasing number of reseller web machines where
users have uploaded a set of cgi's with intent to exploit said machine as a
spam engine. Since the scripts invoke sendmail locally, they are capiable of
delivering mail at an alarming rate. I will post these scripts to the end of
this message.

This is particularly disturbing, as all of these servers have been configured
with anti-relay rulesets, and many of our customers are not savvy enough to
realize that this is NOT relay spam or to track down the users who own the
cgi's and terminate their accounts.

This creates a HUGE problem for firms who offer colocation, hosting, or
managed servers to web resellers. Since these scripts don't require telnet
access, any bozo with a cgi-bin directory and an ftp account can turn a
legitimate customer into a spamhaus. The resources required for a provider
to log into a customer system (assuming they even have root!), disable an
account, and educate thousands of web resellers as to why their ISP is
making changes to their system make this issue even harder to address.

In the last few days we've come across three systems, each hosting a few 
hundred web users, where this software has been installed. On one of the
systems, multiple instanstances of the software had been uploaded under
various accounts.

I am attatching a tarred and gzipped copy of a cgi-bin directory containing 
this software. This was pulled directly from a reseller server. The subscriber
lists have been cleared out, and modifications have been made to the code to
make it unusable. If you have a good working knowledge of perl, you should
pick through it. Be very afraid.

If anybody has any ideas as to how this can be stopped, please share them. 


Josh Grubman <joshg at dn.net>
Senior Systems Engineer
Manager, Abuse Coordination

Security & Abuse Coordination Team
digitalNATION Internet Services
http://www.dn.net / (703) 642 2800 

DO NOT use this address for reporting problems!
uce & network abuse: abuse at dn.net
connectivity issues: noc at dn.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spamengine.tgz
Type: application/octet-stream
Size: 31376 bytes
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/19990430/1142cb7e/attachment.obj>

More information about the NANOG mailing list