True enough. Caps help.
I noticed a form I used to have on one of the websites but since renamed formscript.cgi was being used to try and send mail. Busy little beavers, 20,000 mail attempts, 100,000 recipients.
Also noticed the orginating ip's were all over the globe. Almost as if some virus were bouncing around.
I did a few new things:
I wrote a script called gkillnh that lets me shut down all sendmail daemons hard instantaneoiusly. its a ps -ef grep scrpit. I'm working on what conditions need to be present to invoke it via cron and not effect legitimate mail.
Also: I wrote a script called update.dns.zone
This script automatically updates all DNS zone records to todays date and then restarts the named daemon. This has the effect if done properly of forcing all cache servers like aol.com to reload all web data from my site. I was thinking that would make old cached copies of formscript.cgi go away. The cached copies did not have protection on source ip or destinations. All the current scripts did.
Lastly I set the following parameters in my sendmail.mc file.
dnl # note these settings are only for when an attack is detected
dnl # raise this number when normal operations are needed
dnl # Accept certain number of sendmail connections
define(`confCONNECT_RATE_THROTTLE', `1')dnl
dnl # Accept certain number of sendmail children
define(`confMAX_DAEMON_CHILDREN', `2')dnl
These number are ridiculously low, but they say 1 connection per second maximum children 2 for sendmail.
This does allow the spammers to do denial of service. If they are filling up my mail queue, legitimate email can get in or out. But it does two things: It dramatically lowers the capacity of my servers to send mail, making it less attractive to spammers during the attack. It prevents the sendmail daemon from pumping up the load factor on the machine and denying cpu cycles to other services. httpd is much more important than sendmail. The attack will eventually stop and the legitimate inbound mail will come in and the legitimate outbound mail will go out.
The last thing I did was what stopped the last major attach. In the abused website, whose domain name I can't reveal due to a confidentiality agreement I have put two blank, empty files with read only rights to the world. form.cgi formscript.cgi
The culmulative effect of the dns cache force and the dummy slugs being out there is that eventually those that are running old forms out of cache will find their cache dumps and they get the new, useless zero byte versions. This last change was done within the last 15 minutes and I'm not sure what if any effect its had.
I am curious, someone probed my server, found a vunlerability, form.cgi even though the form itself was secure and all spam relay attempts failed. Somehow, people all over the planet began to try the same thing, then the switch last night to the form that was dropped from the server 120 days ago.
Somehow this vulnerability was transmitted all over the world. I'm interested in how the information was propogated and how I can monitor it. I'll hand out a bunny for the script that was used to find the vulnerability. robots.txt was fully deployed and that should have made this attack impossible.
The bottom line thus far is that no mail has gotten through, though my logfiles are a little stuffed from all the fail messages.
SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
