Spammers Snatches Control of SCCS Servers

Spammers compromised the SCCS server and used it to host and spew out spam mails that had pharmaceutical content. Owing to that, SCCS was forced to re-install the computer system taking it down from 7 pm to 12 am on 10 September 2007.

In an e-mail, LaTouche wrote that the logs showed there were URL weaknesses in index.php of The Phoenix, meaning that the page had failed to properly check the URL query line. The Phoenix Website has been taken offline for a security audit.

The Phoenix site was virtually enlisted as a dead site. The blogging software on it was very old and because of that, vulnerability existed, said Ben Mazer, a Free Culture member. Phoenix reported this on 13 September 2007. A deluge of ads promoted Viagra pills and porn flowed into the Website till the SCCS restored the site to them.

The attackers apparently managed to impose arbitrary commands on the system user www-data by which the Web server operates, and inserted files into the system that helped them to access it in future even after the flaw in The Phoenix Website was fixed. The files were posted on a number of sites that SCCS hosted.

A few of the ensuing problems may have emerged due to unused processes in background. Till the time a complete security audit for The Phoenix site had taken place, certain PHP Web coding protocols will remain blocked on the site. However, the site was activated in the evening on 10 September 2007 and its primary functions were found intact, according to LaTouche.

The spammers also used scripts after placing them in directories of the SCCS servers in order to skip spamming protocols of directories onto other SCCS-hosted Websites. These directories belonged to The Daily Gazette, Free Culture, and certain other user pages.

While the effect of the attack lingers, it is likely to affect the original state of the other SCCS sites as well. With spam being sent from the SCCS system, it could well put SCCS on black lists. But one has to wait to see it happening, according to LaTouche.

Related article: Spammers Continue their Campaigns Successfully

» SPAMfighter News - 10/1/2007