Yow.
Go spamhater.zoomshare.com
I’ve posted a bzip2’d ext3 image of the compromised (etch) OS here:
bugzilla.img.bz2
List of packages installed on the machine here:
bugzilla-packageList
I’ll be pointing the authorities to it and providing any other logs required to track down the responsible party.
Dear Carl Please read this message carefully. You are receiving this email because you are responsible for IP address 66.152.65.7 https://bugzilla.colliertech.org/cgi-bin/bugzilla/index.cgi The machine at this address has been hijacked, and an extra process called "tswapd" has been installed. This process is running many web sites as shown by these URLs: http://66.152.65.7:8080/p/images/weship.gif http://66.152.65.7:8080/legalrx/images/logo.gif http://66.152.65.7:8080/usd/images/logo.gif http://66.152.65.7:8080/rolex/images/logo.gif http://66.152.65.7:8080/caviar/images/main_logo.gif Action required 1. locate the machine at this IP address 2. change the root and any administrator passwords to make them more secure 3. shutdown the machine, and restart Alternatively, you can issue the commands to display the process id and kill it: ps wax | grep "tswapd" kill <pid> [where <pid> is the process-id displayed by the ps command] If you are not the administrator, please forward this information to the administrator. To help you locate the hijacked machine, use this link http://www.dnsstuff.com/tools/tracert.ch?ip=66.152.65.7 Thank you from the Pharmacy Alert Security Team For more information view http://pharmalert.zoomshare.com/ and http://spamhater.zoomshare.com/2.shtml
One response to “bugzilla compromised”
That is not a compromise of bugzilla. It’s a separate process that these spammers install themselves. They do it via automated means from other similarly-compromised servers. They take them over by running a password guesser on the ip address they want to take over. Once they successfully hijack one machine, they scan for other easy-to-hijack machines on the same network (or others.) All results are mailed to a throwaway address.
The whole app resides only in memory. If you kill off tswapd (or any of their other processes), they eventually log back in and wget, install, run, then delete the binary for tswapd (or any of the others.) They appear to do all of this automatically as well.
Bugzilla and other apps remain untouched. These spammers merely want to abuse your machines for their own purposes. That includes hosting of their websites and images, as well as traffic forwarding (mostly to cover their tracks.) This drops their cost of doing business to precisely $0. Instead the costs are passed on to you.
Thanx for providing the OS bzip. That might be useful.
fyi
SiL
P.S. You may want to point the IC3 to that tarball file. They are monitoring these spammers as we speak.