Loading ...
Sorry, an error occurred while loading the content.

Re: Temporarily block domain.tld from sending?

Expand Messages
  • Stan Hoeppner
    ... Look at every file in this user s publicly accessible directory tree. You may find that s/he saved the username/password in a text file (regardless of file
    Message 1 of 18 , Oct 8, 2013
    • 0 Attachment
      On 10/8/2013 7:15 PM, lists@... wrote:
      > On Wed, October 9, 2013 10:41 am, Stan Hoeppner wrote:
      >> On 10/8/2013 3:08 PM, lists@... wrote:
      >
      > Stan, Michael and other who responded, thanks
      >
      >> Others responded with some good ideas here, mostly locking down PHP
      >> itself so it can't use the sendmail binary. But it sounds like this is a
      >> generic web hosting server for your customers. Which means they may be
      >> using all manner of languages other than PHP, such as Perl, Java, etc.
      >
      > modified php.ini as per Micheal's suggestion;
      > yes, it is as you suggest, 'all manner..';
      >
      >> In this case, the most thorough way to lock this down, other than
      >> disabling the pickup service in master.cf, is to restrict execute
      >> permissions on the sendmail binary to root. This prevents all web
      >> applications from using the pickup service. Then instruct all of your
      >> users to use the submission service on TCP 587 for sending mail.
      >> Disabling pickup is the easiest and quickest way to stop this spamming
      >> permanently. But it will likely break management functions that need to
      >> send mail via pickup, such as logwatch, pflogsumm, etc. Thus restricting
      >> which users can execute the sendmail binary is a better solution.
      >
      > I'll work towards that later today
      >
      > I'm still perplexed with access: the user claims no one else had ftp

      Look at every file in this user's publicly accessible directory tree.
      You may find that s/he saved the username/password in a text file
      (regardless of file extension, or name), which is quite common for many
      users, especially those who don't update the site but once every few
      weeks, months, etc. They bookmark the URL and "remember" the
      credentials this way when they need to work on the site. Crackers will
      often find such files, even if not exposed anywhere in the HTML content
      of the site.

      > password, ftp password was a random 8-char alpha/numeric string,
      > can there be any other reason that leaked password...?

      There are all manner of ways credentials can fall into the wrong hands.
      Above is only one. The simplest is the Post-it note, both literally
      and metaphorically. You can't control this. What you can is the
      password itself, and the frequency of change. Random passwords are
      meaningless if someone can simply copy or steal the Post-it. Changing
      passwords regularly helps mitigate this problem, but not if users simply
      put the new password in an accessible file, as in the scenario above.

      --
      Stan
    • Robert L Mathews
      ... There are several Windows PC viruses, including the common Gumblar family, that steal saved FTP passwords from files on the computer. They simply have a
      Message 2 of 18 , Oct 10, 2013
      • 0 Attachment
        On 10/8/13 5:15 PM, lists@... wrote:

        > I'm still perplexed with access: the user claims no one else had ftp
        > password, ftp password was a random 8-char alpha/numeric string,
        > can there be any other reason that leaked password...?

        There are several Windows PC viruses, including the common "Gumblar"
        family, that steal saved FTP passwords from files on the computer.

        They simply have a list of file locations where various FTP clients such
        as FileZilla and Dreamweaver store saved passwords. They scan all these
        locations and send any results back to a central server.

        Some of these viruses also incorporate network sniffing to detect FTP
        passwords.

        So even if the password was random and used only on a single computer,
        it may have been obtained by evildoers if the user checked a "remember
        this password" option or ever connected to a non-TLS FTP server. The
        user should scan any computer that ever used this password for viruses.

        --
        Robert L Mathews, Tiger Technologies, http://www.tigertech.net/
      • lists@...
        ... Robert, thanks for explanation, that makes a lot of sense in this scenario, and, the most likely reason (I guess I couldn t see the forrest for the
        Message 3 of 18 , Oct 10, 2013
        • 0 Attachment
          On Fri, October 11, 2013 4:56 am, Robert L Mathews wrote:
          > On 10/8/13 5:15 PM, lists@... wrote:

          > There are several Windows PC viruses, including the common "Gumblar"
          > family, that steal saved FTP passwords from files on the computer.
          > They simply have a list of file locations where various FTP clients such
          > as FileZilla and Dreamweaver store saved passwords. They scan all these
          > locations and send any results back to a central server.

          Robert,

          thanks for explanation, that makes a lot of sense in this scenario, and,
          the most likely reason (I guess I couldn't see the forrest for the
          trees...)

          Voytek
        • lists@...
          ... fwiw, just followed it with the user, he now confirmed his PC did have a malware issue few month ago, after he oppened your parcel delivery zip file, etc
          Message 4 of 18 , Oct 10, 2013
          • 0 Attachment
            On Fri, October 11, 2013 10:49 am, lists@... wrote:
            > On Fri, October 11, 2013 4:56 am, Robert L Mathews wrote:

            >> There are several Windows PC viruses, including the common "Gumblar"
            >> family, that steal saved FTP passwords from files on the computer. They

            > thanks for explanation, that makes a lot of sense in this scenario, and,
            > the most likely reason

            On Wed, October 9, 2013 3:52 pm, Stan Hoeppner wrote:

            > Look at every file in this user's publicly accessible directory tree.
            > You may find that s/he saved the username/password in a text file

            fwiw, just followed it with the user, he now confirmed his PC did have a
            malware issue few month ago, after he oppened 'your parcel delivery' zip
            file, etc

            and, he did have p/w stored on infected PC

            thanks again for all help and suggestions to everyone,
          Your message has been successfully submitted and would be delivered to recipients shortly.