[plug] Postfix Problems again (Spam Originating frommy mailserver)
Timothy White
weirdit at gmail.com
Fri Dec 2 00:38:01 WST 2005
On 12/1/05, Shannon Carver <shannon.carver at p-s-t.com.au> wrote:
> If theres one thing I love about linux, and about this list, is no
> matter what the topic theres always some little thing to learn. I must
> admit, I've never used the /proc/<process number> to get information
> before. I've noticed them there but never pieced together they might be
> process information.
Well I only learnt about it early this year, when I was trying to see
how easy it would be to create a malicious script, and hide it. I
learnt quite a bit from that, and believe, that some of my
discoveries, while trivial, would allow a hacker to hide his tools
quite well.
>
> Anyway back to it.. The script that started on Nov29 which may, or may
> not be causing an issue is some form of statistics generation script for
> my webmail client openwebmail, in the form
> /usr/lib/cgi-bin/openwebmail/userstat.pl. This seems fine, apart from
> the fact that it was started by a random IP 61.218.37.215 which I've
> never heard of, nor have any affiliation with.
While an old exploit, who knows, it could be related, or you have an
old version of openwebmail.
http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0388.html
In general, judging from the recent spat of vulnerabilities in web
stat software, I think that all stat scripts, should only be
accessible by local address, probably not to the intranet unless
needed, and definitely not to the world. If you really need them from
the world, ssh a tunnel in, so it's local.
>
> Wether or not this could be causing the issue will have to wait and
> see. I'll leave it for tonight with openwebmail stopped, and the
> scripts moved (a tack on solution to see if the problem stops) and I'll
> look for security vulnerabilities in openwebmail and make sure to get
> the latest source from APT tomorrow.
>
> Thanks Timothy, thanks all, I'll update if I find anything else
No problem. Let us know the results. You have my intrigued as well,
wanting to know what's causing it!
Tim
--
Linux Counter user #273956
More information about the plug
mailing list