[plug] Postfix Problems again (Spam Originating frommy mailserver)

Fri Dec 2 08:59:22 WST 2005

Tim, 

I sat up last night (midnight seems so late nowadays), just to see if
anything changed as the time ticked over, and all seems well.  I've had
a quick look at that vulnerability and it seems on the money, I'm not
quire sure how it applies to becoming a spam bot.

I'll watch it over the next few days, and keep everyone updated (If
we're interested), and make sure I monitor rogue processes.

Thanks all

Shannon

-----Original Message-----
From: plug-bounces at plug.org.au [mailto:plug-bounces at plug.org.au] On
Behalf Of Timothy White
Sent: Friday, 2 December 2005 12:38 AM
To: plug at plug.org.au
Subject: Re: [plug] Postfix Problems again (Spam Originating frommy
mailserver)

On 12/1/05, Shannon Carver <shannon.carver at p-s-t.com.au> wrote:
> If theres one thing I love about linux, and about this list, is no
> matter what the topic theres always some little thing to learn.  I
must
> admit, I've never used the /proc/<process number> to get information
> before.  I've noticed them there but never pieced together they might
be
> process information.

Well I only learnt about it early this year, when I was trying to see
how easy it would be to create a malicious script, and hide it. I
learnt quite a bit from that, and believe, that some of my
discoveries, while trivial, would allow a hacker to hide his tools
quite well.

>
> Anyway back to it.. The script that started on Nov29 which may, or may
> not be causing an issue is some form of statistics generation script
for
> my webmail client openwebmail, in the form
> /usr/lib/cgi-bin/openwebmail/userstat.pl.  This seems fine, apart from
> the fact that it was started by a random IP 61.218.37.215 which I've
> never heard of, nor have any affiliation with.

While an old exploit, who knows, it could be related, or you have an
old version of openwebmail.
http://archives.neohapsis.com/archives/fulldisclosure/2004-05/0388.html

In general, judging from the recent spat of vulnerabilities in web
stat software, I think that all stat scripts, should only be
accessible by local address, probably not to the intranet unless
needed, and definitely not to the world. If you really need them from
the world, ssh a tunnel in, so it's local.

>
> Wether or not this could be causing the issue will have to wait and
> see.  I'll leave it for tonight with openwebmail stopped, and the
> scripts moved (a tack on solution to see if the problem stops) and
I'll
> look for security vulnerabilities in openwebmail and make sure to get
> the latest source from APT tomorrow.
>
> Thanks Timothy, thanks all, I'll update if I find anything else

No problem. Let us know the results. You have my intrigued as well,
wanting to know what's causing it!

Tim
--
Linux Counter user #273956
_______________________________________________
PLUG discussion list: plug at plug.org.au
http://www.plug.org.au/mailman/listinfo/plug
Committee e-mail: committee at plug.linux.org.au