This past week, we discovered that the primary webserver for a subsidiary was being used to send out email. They pretty quickly cut it off, but, before the problem was fully understood, the webserver was brought back online. Sure enough, it started spewing out tons of email when the attacker found that it was back online. He did a bcouple of probes and then — Boom! — the flood was back!
The source of the problem? A guestbook script that allowed anyone to send email to anyone. The first time around, the administrators for the box just turned of SMTP on the box (this was an NT IIS install) and figured that would solve the problem.
When the problem re-appeared, they finally cut off the source — the guestbook script. It isn’t clear that the script was even being used, so this may be another case of what happens when you don’t minimize the amount of software on the system.
As the admin for the Internet-connected email gateway, I finally cut off all mail from the server. Of course, I should have done that first, but better late than never. I also started capturing all the bounces for the email sent out. It was there that I found out that the emails were an attempt at credit card fraud.
I don’t know who would enter their credit card information into a website whose link they got from an email that started “You have a new guestbook entry”, but it almost seems like they would deserve what they got. Practice good net-hygiene, folks!
The good thing is that this guy didn’t seem too smart. From our end, it looks like he used his own system to perpetrate the attack. And apparently used his own domain (g0d.ca) for probing the guestbook. In any case, the information we had was passed along, so it looks like he’ll likely be caught.