Clerical Rigor

bugzilla compromised

Yow.

Go spamhater.zoomshare.com

I’ve posted a bzip2’d ext3 image of the compromised (etch) OS here:
bugzilla.img.bz2

List of packages installed on the machine here:
bugzilla-packageList

I’ll be pointing the authorities to it and providing any other logs required to track down the responsible party.

Dear Carl

Please read this message carefully.

You are receiving this email because you are responsible for IP
address 66.152.65.7
https://bugzilla.colliertech.org/cgi-bin/bugzilla/index.cgi

The machine at this address has been hijacked, and an extra process
called "tswapd" has been installed.
This process is running many web sites as shown by these URLs:

http://66.152.65.7:8080/p/images/weship.gif
http://66.152.65.7:8080/legalrx/images/logo.gif
http://66.152.65.7:8080/usd/images/logo.gif
http://66.152.65.7:8080/rolex/images/logo.gif
http://66.152.65.7:8080/caviar/images/main_logo.gif

Action required

1. locate the machine at this IP address
2. change the root and any administrator passwords to make them more secure
3. shutdown the machine, and restart

Alternatively, you can issue the commands to display the process id and kill it:

ps wax | grep "tswapd"
kill <pid>
 [where <pid> is the process-id displayed by the ps command]

If you are not the administrator, please forward this information to
the administrator.

To help you locate the hijacked machine, use this link
http://www.dnsstuff.com/tools/tracert.ch?ip=66.152.65.7


Thank you from the Pharmacy Alert Security Team
For more information view
http://pharmalert.zoomshare.com/   and   http://spamhater.zoomshare.com/2.shtml

C.J. Collier

One response to “bugzilla compromised”

  1. That is not a compromise of bugzilla. It’s a separate process that these spammers install themselves. They do it via automated means from other similarly-compromised servers. They take them over by running a password guesser on the ip address they want to take over. Once they successfully hijack one machine, they scan for other easy-to-hijack machines on the same network (or others.) All results are mailed to a throwaway address.

    The whole app resides only in memory. If you kill off tswapd (or any of their other processes), they eventually log back in and wget, install, run, then delete the binary for tswapd (or any of the others.) They appear to do all of this automatically as well.

    Bugzilla and other apps remain untouched. These spammers merely want to abuse your machines for their own purposes. That includes hosting of their websites and images, as well as traffic forwarding (mostly to cover their tracks.) This drops their cost of doing business to precisely $0. Instead the costs are passed on to you.

    Thanx for providing the OS bzip. That might be useful.

    fyi

    SiL

    P.S. You may want to point the IC3 to that tarball file. They are monitoring these spammers as we speak.

    Reply

Leave a Reply