Re: [suse-security] Re: Getting weird FETCHMAIL-DAEMON messages...
At 12:40 PM 29/01/2001, you wrote:
Dear All
Here is the contents of that e-mail:
From: FETCHMAIL-DAEMON@josswinn.org To: matthew@psychohorse.com Date: Mon, 29 Jan 2001 07:04:08 +0900
I've been getting these for a few days. Not sure where from ?
On Thursday night at midnight my net facing box was broken into and someone replaced sendmail.cf with another one. What this meant was that when my box downloaded mail it then forwarded ti to many people on the internet. I discovered this and replaced sendmail.cf before any damage was done.
Tonight I was about to reply to this e-mail at about midnight and someone broke in and destroyed my Pine 4.32 mail app. That meant that I couldn't send this mail either.
So, what's going on ? I don't know either.
Mate, Unplug the box from the net. If it has been broken into you don't know what has been compromised Please email me back privately if you need help. I will be contactable for the next 8hrs or so by email. (I am ducking out to grab some lunch now, but will be back in 20min..) Cheers --- Nix - nix@susesecurity.com http://www.susesecurity.com
I will e-mail josswin, as he maybe compromised. I am using Postfix, what should I look for on the server? Not sure if I have been broken into, but its certainly shaken me up (and its best to assume that I have been compromised, better safe than sorry). Now checking through Nix's website, nice to have a rescource like that! Matt On Sunday 28 January 2001 05:53 pm, Nix wrote:
At 12:40 PM 29/01/2001, you wrote:
Dear All
Here is the contents of that e-mail:
From: FETCHMAIL-DAEMON@josswinn.org To: matthew@psychohorse.com Date: Mon, 29 Jan 2001 07:04:08 +0900
I've been getting these for a few days. Not sure where from ?
On Thursday night at midnight my net facing box was broken into and someone replaced sendmail.cf with another one. What this meant was that when my box downloaded mail it then forwarded ti to many people on the internet. I discovered this and replaced sendmail.cf before any damage was done.
Tonight I was about to reply to this e-mail at about midnight and someone broke in and destroyed my Pine 4.32 mail app. That meant that I couldn't send this mail either.
So, what's going on ? I don't know either.
Mate, Unplug the box from the net. If it has been broken into you don't know what has been compromised Please email me back privately if you need help. I will be contactable for the next 8hrs or so by email. (I am ducking out to grab some lunch now, but will be back in 20min..)
Cheers
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Look if someone can break in an replace the sendmail.cf file, it means that you have been compromised in some way to root level. ie. You have been OWNED! Don't take this lightly, you may even want to get the police involved as it IS an offense. Meantime, do not connect your machine to the internet. If this was my machine I would be rebuilding it from CD, and install ALL security patches before connecting it back to the internet. You MUST also use entirely new passwords, and you have to assume that a sniffer as well as a ssh/sshd backdoor has been installed. This means that any machines that you have connected from or to this machine may also be compromised. DO NOT TAKE THIS LIGHTLY. Unless you are SURE that you are better than the people who attacked you, (and No offense intended, but if you were you would not have been broken into in the manner) and know the files on your system intimately AND run something like Tripwire or Aide, then you HAVE to assume the worst. I spent several days last week tracking an intrusion through a financial institution. (ie. I do this stuff for a living) so please take me seriously... Regards Nix At 02:08 PM 29/01/2001, you wrote:
I will e-mail josswin, as he maybe compromised.
I am using Postfix, what should I look for on the server? Not sure if I have been broken into, but its certainly shaken me up (and its best to assume that I have been compromised, better safe than sorry).
Now checking through Nix's website, nice to have a rescource like that!
Matt
On Sunday 28 January 2001 05:53 pm, Nix wrote:
At 12:40 PM 29/01/2001, you wrote:
Dear All
Here is the contents of that e-mail:
From: FETCHMAIL-DAEMON@josswinn.org To: matthew@psychohorse.com Date: Mon, 29 Jan 2001 07:04:08 +0900
I've been getting these for a few days. Not sure where from ?
On Thursday night at midnight my net facing box was broken into and someone replaced sendmail.cf with another one. What this meant was that when my box downloaded mail it then forwarded ti to many people on the internet. I discovered this and replaced sendmail.cf before any damage was done.
Tonight I was about to reply to this e-mail at about midnight and someone broke in and destroyed my Pine 4.32 mail app. That meant that I couldn't send this mail either.
So, what's going on ? I don't know either.
Mate, Unplug the box from the net. If it has been broken into you don't know what has been compromised Please email me back privately if you need help. I will be contactable for the next 8hrs or so by email. (I am ducking out to grab some lunch now, but will be back in 20min..)
Cheers
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
Along with all that was said below, a good place to look for compromises is in /var/log/messages This is were your system logs all sorts of things. But if the people who attacked you are good, (just because you are compromised, does not mean that the people are good) they will destroy this information. Look for out of the ordinary things, like weird user logins and wierd sshd attempts or something of that sort. Also, just check your lastlog, they may not have been able to remove their entry from it. I say to check these things, a. because it is a good idea to check on your system and b. if they are sending mail you mail from their domain, it probably means that they are not that good. But it also might mean that josswin is compromised. Another good thing to do is get a good book on security. Sometimes they seem overwhelming, but there are some basic things you need to do if you want to secure a system on the network. Especially if you have a permanent connection (i.e. DSL). And try not to give out too much information about your server. I noticed that you advertise on your website that you are run by Suse 7.0. Which is a great ad for suse, but bad for you. By advertising your distribution, you advertise all known security flaws with it. Especially if you are not use to updating your system. enjoy, michael On Mon, 29 Jan 2001, Nix wrote:
Look if someone can break in an replace the sendmail.cf file, it means that you have been compromised in some way to root level. ie. You have been OWNED! Don't take this lightly, you may even want to get the police involved as it IS an offense. Meantime, do not connect your machine to the internet. If this was my machine I would be rebuilding it from CD, and install ALL security patches before connecting it back to the internet. You MUST also use entirely new passwords, and you have to assume that a sniffer as well as a ssh/sshd backdoor has been installed. This means that any machines that you have connected from or to this machine may also be compromised. DO NOT TAKE THIS LIGHTLY. Unless you are SURE that you are better than the people who attacked you, (and No offense intended, but if you were you would not have been broken into in the manner) and know the files on your system intimately AND run something like Tripwire or Aide, then you HAVE to assume the worst.
I spent several days last week tracking an intrusion through a financial institution. (ie. I do this stuff for a living) so please take me seriously...
Regards
Nix
At 02:08 PM 29/01/2001, you wrote:
I will e-mail josswin, as he maybe compromised.
I am using Postfix, what should I look for on the server? Not sure if I have been broken into, but its certainly shaken me up (and its best to assume that I have been compromised, better safe than sorry).
Now checking through Nix's website, nice to have a rescource like that!
Matt
On Sunday 28 January 2001 05:53 pm, Nix wrote:
At 12:40 PM 29/01/2001, you wrote:
Dear All
Here is the contents of that e-mail:
From: FETCHMAIL-DAEMON@josswinn.org To: matthew@psychohorse.com Date: Mon, 29 Jan 2001 07:04:08 +0900
I've been getting these for a few days. Not sure where from ?
On Thursday night at midnight my net facing box was broken into and someone replaced sendmail.cf with another one. What this meant was that when my box downloaded mail it then forwarded ti to many people on the internet. I discovered this and replaced sendmail.cf before any damage was done.
Tonight I was about to reply to this e-mail at about midnight and someone broke in and destroyed my Pine 4.32 mail app. That meant that I couldn't send this mail either.
So, what's going on ? I don't know either.
Mate, Unplug the box from the net. If it has been broken into you don't know what has been compromised Please email me back privately if you need help. I will be contactable for the next 8hrs or so by email. (I am ducking out to grab some lunch now, but will be back in 20min..)
Cheers
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Oh its updated :-). Its an addiction of mine....This time a good one. Checked logs, nthing out of the ordinary, whic. Now is the time for me to change the pop, smtp banners and others too. Maybe make a banner that is a totally different OS? How is that acclomplished? Thanks for everyones insights. Matt On Sunday 28 January 2001 07:38 pm, Michael Chletsos wrote:
Along with all that was said below, a good place to look for compromises is in /var/log/messages This is were your system logs all sorts of things. But if the people who attacked you are good, (just because you are compromised, does not mean that the people are good) they will destroy this information. Look for out of the ordinary things, like weird user logins and wierd sshd attempts or something of that sort. Also, just check your lastlog, they may not have been able to remove their entry from it. I say to check these things, a. because it is a good idea to check on your system and b. if they are sending mail you mail from their domain, it probably means that they are not that good. But it also might mean that josswin is compromised. Another good thing to do is get a good book on security. Sometimes they seem overwhelming, but there are some basic things you need to do if you want to secure a system on the network. Especially if you have a permanent connection (i.e. DSL). And try not to give out too much information about your server. I noticed that you advertise on your website that you are run by Suse 7.0. Which is a great ad for suse, but bad for you. By advertising your distribution, you advertise all known security flaws with it. Especially if you are not use to updating your system.
enjoy, michael
On Mon, 29 Jan 2001, Nix wrote:
Look if someone can break in an replace the sendmail.cf file, it means that you have been compromised in some way to root level. ie. You have been OWNED! Don't take this lightly, you may even want to get the police involved as it IS an offense. Meantime, do not connect your machine to the internet. If this was my machine I would be rebuilding it from CD, and install ALL security patches before connecting it back to the internet. You MUST also use entirely new passwords, and you have to assume that a sniffer as well as a ssh/sshd backdoor has been installed. This means that any machines that you have connected from or to this machine may also be compromised. DO NOT TAKE THIS LIGHTLY. Unless you are SURE that you are better than the people who attacked you, (and No offense intended, but if you were you would not have been broken into in the manner) and know the files on your system intimately AND run something like Tripwire or Aide, then you HAVE to assume the worst.
I spent several days last week tracking an intrusion through a financial institution. (ie. I do this stuff for a living) so please take me seriously...
Regards
Nix
At 02:08 PM 29/01/2001, you wrote:
I will e-mail josswin, as he maybe compromised.
I am using Postfix, what should I look for on the server? Not sure if I have been broken into, but its certainly shaken me up (and its best to assume that I have been compromised, better safe than sorry).
Now checking through Nix's website, nice to have a rescource like that!
Matt
On Sunday 28 January 2001 05:53 pm, Nix wrote:
At 12:40 PM 29/01/2001, you wrote:
Dear All
Here is the contents of that e-mail:
From: FETCHMAIL-DAEMON@josswinn.org To: matthew@psychohorse.com Date: Mon, 29 Jan 2001 07:04:08 +0900
I've been getting these for a few days. Not sure where from ?
On Thursday night at midnight my net facing box was broken into and someone replaced sendmail.cf with another one. What this meant was that when my box downloaded mail it then forwarded ti to many people on the internet. I discovered this and replaced sendmail.cf before any damage was done.
Tonight I was about to reply to this e-mail at about midnight and someone broke in and destroyed my Pine 4.32 mail app. That meant that I couldn't send this mail either.
So, what's going on ? I don't know either.
Mate, Unplug the box from the net. If it has been broken into you don't know what has been compromised Please email me back privately if you need help. I will be contactable for the next 8hrs or so by email. (I am ducking out to grab some lunch now, but will be back in 20min..)
Cheers
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Once an attacker has root it is time to reinstall the OS from trusted media. As
for fiddling login banner, tcp_wrappers will do so nicely.
http://www.securityportal.com/closet/closet20001115.html
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
----- Original Message -----
From: "Matthew"
Along with all that was said below, a good place to look for compromises is in /var/log/messages This is were your system logs all sorts of things. But if the people who attacked you are good, (just because you are compromised, does not mean that the people are good) they will destroy this information. Look for out of the ordinary things, like weird user logins and wierd sshd attempts or something of that sort. Also, just check your lastlog, they may not have been able to remove their entry from it. I say to check these things, a. because it is a good idea to check on your system and b. if they are sending mail you mail from their domain, it probably means that they are not that good. But it also might mean that josswin is compromised. Another good thing to do is get a good book on security. Sometimes they seem overwhelming, but there are some basic things you need to do if you want to secure a system on the network. Especially if you have a permanent connection (i.e. DSL). And try not to give out too much information about your server. I noticed that you advertise on your website that you are run by Suse 7.0. Which is a great ad for suse, but bad for you. By advertising your distribution, you advertise all known security flaws with it. Especially if you are not use to updating your system.
enjoy, michael
On Mon, 29 Jan 2001, Nix wrote:
Look if someone can break in an replace the sendmail.cf file, it means that you have been compromised in some way to root level. ie. You have been OWNED! Don't take this lightly, you may even want to get the police involved as it IS an offense. Meantime, do not connect your machine to the internet. If this was my machine I would be rebuilding it from CD, and install ALL security patches before connecting it back to the internet. You MUST also use entirely new passwords, and you have to assume that a sniffer as well as a ssh/sshd backdoor has been installed. This means that any machines that you have connected from or to this machine may also be compromised. DO NOT TAKE THIS LIGHTLY. Unless you are SURE that you are better than the people who attacked you, (and No offense intended, but if you were you would not have been broken into in the manner) and know the files on your system intimately AND run something like Tripwire or Aide, then you HAVE to assume the worst.
I spent several days last week tracking an intrusion through a financial institution. (ie. I do this stuff for a living) so please take me seriously...
Regards
Nix
At 02:08 PM 29/01/2001, you wrote:
I will e-mail josswin, as he maybe compromised.
I am using Postfix, what should I look for on the server? Not sure if I have been broken into, but its certainly shaken me up (and its best to assume that I have been compromised, better safe than sorry).
Now checking through Nix's website, nice to have a rescource like that!
Matt
On Sunday 28 January 2001 05:53 pm, Nix wrote:
At 12:40 PM 29/01/2001, you wrote:
Dear All
Here is the contents of that e-mail:
From: FETCHMAIL-DAEMON@josswinn.org To: matthew@psychohorse.com Date: Mon, 29 Jan 2001 07:04:08 +0900
I've been getting these for a few days. Not sure where from ?
On Thursday night at midnight my net facing box was broken into and someone replaced sendmail.cf with another one. What this meant was that when my box downloaded mail it then forwarded ti to many people on the internet. I discovered this and replaced sendmail.cf before any damage was done.
Tonight I was about to reply to this e-mail at about midnight and someone broke in and destroyed my Pine 4.32 mail app. That meant that I couldn't send this mail either.
So, what's going on ? I don't know either.
Mate, Unplug the box from the net. If it has been broken into you don't know what has been compromised Please email me back privately if you need help. I will be contactable for the next 8hrs or so by email. (I am ducking out to grab some lunch now, but will be back in 20min..)
Cheers
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
At 03:13 PM 29/01/2001, you wrote:
As for fiddling login banner, tcp_wrappers will do so nicely.
Yes, and no. Personally I prefer that NO-ONE knows the exact versions I'm running, or even what "brand" of service I'm running. The is especially the case if you are an Internet provider or some other public service where you could have many thousands of legitimate users.. You can certainly have alot of fun with inetd tricks though :-) Cheers --- Nix - nix@susesecurity.com http://www.susesecurity.com
Speaking of email... I've been using Postfix exclusively now for just over 2 years. From Wietse Venema: Postfix snapshot 20010128 will become the first non-beta release, modulo bugfixes. As always, whatever code I release runs on my own systems. This version ships with a new virtual mailbox-only delivery agent, an updated nqmgr (new queue manager) and with an updated LMTP client that supports SASL authentication. Primary site: ftp.porcupine.org/mirrors/postfix-release/experimental 164701 Jan 28 21:22 snapshot-20010128.HISTORY 40910 Jan 28 21:22 snapshot-20010128.RELEASE_NOTES 1033120 Jan 28 21:22 snapshot-20010128.tar.gz 152 Jan 28 21:22 snapshot-20010128.tar.gz.sig Or point your browser at: ftp://ftp.porcupine.org/mirrors/postfix-release/index.html Wietse Extract from RELEASE_NOTES ========================== Incompatible changes with snapshot-20010128 =========================================== REJECT in header/body_checks is now flagged as policy violation rather than bounce, for consistency in postmaster notifications. The mailbox size limit for local delivery is no longer controlled by the message_size_limit paramater, but by a separate parameter called mailbox_size_limit (default: 20MBytes). The default RBL (real-time blackhole lists) domain examples have been updated from *.vix.com to *.mail-abuse.org. Major changes with snapshot-20010128 ==================================== Updated nqmgr (experimental queue manager with clever queueing strategy) by Patrik Rak. This code is still new. Once it stops changing (for a long time!) it will become part of the non-beta release. Virtual mailbox delivery agent by Andrew McNamara. This delivery agent can deliver mail for any number of domains. See the file VIRTUAL_README for detailed examples. This code is still new. Once it stops changing it will become part of the non-beta release. Many "valid_hostname" warnings were either eliminated, and the rest was replaced by something more informative. SASL support (RFC 2554) for the LMTP delivery agent. This is required by recent Cyrus implementations when delivering mail over TCP sockets. The LMTP_README file has been updated but still contains some obsolete information. Workarounds for non-standard RFC 2554 (AUTH command) implementations. Specify "broken_sasl_auth_clients = yes" to enable SMTP server support for old Microsoft client applications. The Postfix SMTP client supports non-standard RFC 2554 servers by default. Change log since the 20001217 snapshot release ============================================== 20001218 Bugfix: the MYSQL client did not provide function pointers for unimplemented operations, causing "postmap -d" to dump core instead if issuing an error message. This is what I get for accepting code that I cannot test myself. 20001221 Code cleanup: configuration parameters that are $name expanded at run-time now have their own data type hierarchy instead of being piggy-backed on top of strings that are $name expanded at program initialization time. Files: global/mail_conf.h, global/mail_conf_raw.c, and code that calls it. 20001230 Update: replaced the default rbl.maps.vix.com setting by the current blackholes.mail-abuse.org. 20010102 Code cleanup: the queue manager is a bit greedier with allocating a delivery agent. Problem pointed out by Patrik Rak. All bugs in the solution are mine. Files: *qmgr/qmgr_active.c. 20010105 Bugfix: the FILTER_README shell script example did not correctly pass exit status to the parent. Bugfix: soft errors in client hostname lookups would be treated as hard errors. Fix by Michael Herrmann (informatik.tu-muenchen.de). File: smtpd/smtpd_peer.c. 20010110 Bugfix: the mkdir() EEXIST race condition workaround was not complete. Matthias Andree, Daniel Roesen. Files: global/mail_queue.c, util/make_dirs.c. 20010111 Portability: IRIX 6.5.10 defines sa_len as a macro, causing a name collision with a variable used by Postfix. Roberto Totaro, enigma.ethz.ch. File: smtpstone/smtp-source.c. 20010116 Bugfix: REJECT by header/body_checks was flagged in smtpd as a bounce, should be policy, in order to make postmaster notifications more consistent. File: smtpd/smtpd.c. Merged updated chroot setup procedure by Matthias Andree. Files: examples/chroot-setup/LINUX2. 20010117 Formatting: changed the seconds and days formats in the "your mail is delayed" text so that it does not switch to scientific notation. File: bounce/bounce_notify_util.c. 20010119 Feature: SASL support for the LMTP client. Recent CYRUS software requires this for Postfix over TCP sockets. 20010120 Bugfix: the 20001005 revised fallback_relay support caused Postfix to send mail to the fallback even when the local machine was an MX host for the final destination. Result: mailer loop. Found by Laurent Wacrenier (teaser.fr). Files: smtp/smtp_connect.c, smtp/smtp_addr.c. 20010121 Workaround: specify "broken_sasl_auth_clients = yes" in order to support old Microsoft clients that implement a non-standard version of RFC 2554 (AUTH command). Workaround: Lotus Domino 5.0.4 violates RFC 2554 and replies to EHLO with AUTH=LOGIN. File: smtp/smtp_proto.c. 20010125 Code cleanup: wrote creator/destructor for dictionary objects that provides default methods that trap all attempts to perform an unimplemented operation. Based on an ansatz by Laurent Wacrenier (teaser.fr). Files: util/dict*.[hc]. Code cleanup: INSTALL.sh does not ask questions when stdin is not connected to a tty (as in: make install
participants (4)
-
Kurt Seifried
-
Matthew
-
Michael Chletsos
-
Nix