You might have noticed that many our ebiquity web systems and services were a bit, well, flaky, last week. We experienced a number of security problems which were most likely all related. On July 3 someone complained via (I think) the comment link on UMBC’s main page that we were flooding their online form with spam. It turns out that someone was, somehow, able to launch a second httpd process using port 8080 on our Web computer. This was serving as a proxy, acting as a relay for requests from spam links placed in comments on forums and blogs back through bjalo.com which relayed them onto their ultimate source. The site which got the spam say the link as something like http://ebiquity.umbc.edu:8080/d_umbc/cingular-ringtones.html making it look like we were the spammers.

We’ve still not been able to understand how this was done. I suspect it was a PHP buffer overflow attack. We killed the process and locked our machine down tight and then discovered that several of our blogs had been compromised. We suspect it was because we were running an relatively old version of Wordpress (2.0.4) that had some known vulnerabilities. Spammers were able to edit the templates of several of our blogs to add spam links to the footers. They mucked with the comment controls, disabled Akismet, and added over 800 spam comments to posts.

All of this came to a head on July 4, when most of our lab was away on travel or enjoying the (US) holiday. I was disparately trying figure out what was going on and why by examining the web access logs and our MySQL query log. Anand and Filip were able to help and we eventually got things quieted down, by disabling most of the Web administrative functions and using iptables to close of ports and block some IPs.

We’ve cleaned up the templates and killed the spam comments, updated our Wordpress version, weeded out many unused user accounts, closed old posts to comments and trackbacks, and added some new instrumentation to our blogs and web server.

I learned a thing or two last week. Things are running reasonably smoothly now, but me, I’m still very paranoid. Hey! what was that sound?

Related posts: • Using semantic policies to manage border gateway route exchanges;  • Blog comment spam magnet;  • No spam on Twitter?!;  

Posted on Thursday, July 12th, 2007 at 1:00 pm in categories [Uncategorized]. Comments feed. Leave a response, or trackback from your own site. edit