Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
RE: [suse-security] Security problem with sendmail?
- From: Boris Lorenz <bolo@xxxxxxx>
- Date: Mon, 26 Nov 2001 13:09:04 +0100 (CET)
- Message-id: <XFMail.011126130904.bolo@xxxxxxx>
Hi,
On 26-Nov-01 Laurie Brown wrote:
> Hi all,
>
> The log-checking script on one of the machines I look after has picked
> this up [edited to avoid giving too much away]:
>
> ---- cut here ----
> Nov 26 07:31:39 mymachine sendmail[16970]: HAA16970:
> from=<nobody@xxxxxxxxxxxxxx>, size=1860, class=0, pri=31860, nrcpts=1,
> msgid=<E168GFQ-0000vz-00@xxxxxxxxxxxxxx>, proto=ESMTP, relay=[66.78.13.34]
>
> Nov 26 07:31:39 mymachine sendmail[16971]: HAA16970: forward
> /dir/acct/.//.forward: Permission denied
>
> Nov 26 07:31:39 mymachine sendmail[16971]: HAA16970:
> to=<info@xxxxxxxxxxx>, delay=00:00:00, xdelay=00:00:00, mailer=local,
> stat=Sent
> ---- cut here ----
Since the system host.bwhst.com belongs to a company called "BestWebHost.com",
I guess the mail with the sender address nobody@xxxxxxxxxxxxxx is UBE/spam,
sent either by the owner(s) and/or user(s) of the domain itself, or by some
remote Spammers who abused a crappy formmail.pl installation. Since they are
running a Apache 1.3.17 (www.bestwebhost.com, which often runs as nobody or
wwwrun), all this seems plausible, tho it's a guess.
Sendmail's complaints about insufficient perms (2nd line of your log) don't fit
into this, however. Did you ever send mail with that acct account? Is there a
.forward file in the home dir of acct, and if so, is it readable by sendmail?
Finally, if you have a generic "info" alias in /etc/aliases, it's a feature of
sendmail to store any mail with that user-prefix in the local queue of the
account responsible for all the info mails, even if the domain is not local
from your perspective. Maybe this isn't correct at the first look, but it's due
to sendmail's (local) delivery rules (look for LOCAL_MAILER and local
domains entries in your .mc file and in sendmail.cw).
> The mail to info@xxxxxxxxxxx was some search engine spam. The
> /dir/acct directory is the home directory of a non-root account, set
> up that way (home=/dir/./acct) for chroot wuftpd. Should I be worried
> about this, and if so, what can I do about it?
Btw., do you have any process/network accounting? There's a software for
accounting purposes which comes with a demon called "acct" or "acctd"...
[...]
Hope it helps.
> Cheers, Laurie.
> --
> ---------------------------------------------------------------------
> Laurie Brown
> laurie@xxxxxxxxxxxx
> PGP key at http://pgpkeys.mit.edu:11371
> ---------------------------------------------------------------------
Boris Lorenz <bolo@xxxxxxx>
---
On 26-Nov-01 Laurie Brown wrote:
> Hi all,
>
> The log-checking script on one of the machines I look after has picked
> this up [edited to avoid giving too much away]:
>
> ---- cut here ----
> Nov 26 07:31:39 mymachine sendmail[16970]: HAA16970:
> from=<nobody@xxxxxxxxxxxxxx>, size=1860, class=0, pri=31860, nrcpts=1,
> msgid=<E168GFQ-0000vz-00@xxxxxxxxxxxxxx>, proto=ESMTP, relay=[66.78.13.34]
>
> Nov 26 07:31:39 mymachine sendmail[16971]: HAA16970: forward
> /dir/acct/.//.forward: Permission denied
>
> Nov 26 07:31:39 mymachine sendmail[16971]: HAA16970:
> to=<info@xxxxxxxxxxx>, delay=00:00:00, xdelay=00:00:00, mailer=local,
> stat=Sent
> ---- cut here ----
Since the system host.bwhst.com belongs to a company called "BestWebHost.com",
I guess the mail with the sender address nobody@xxxxxxxxxxxxxx is UBE/spam,
sent either by the owner(s) and/or user(s) of the domain itself, or by some
remote Spammers who abused a crappy formmail.pl installation. Since they are
running a Apache 1.3.17 (www.bestwebhost.com, which often runs as nobody or
wwwrun), all this seems plausible, tho it's a guess.
Sendmail's complaints about insufficient perms (2nd line of your log) don't fit
into this, however. Did you ever send mail with that acct account? Is there a
.forward file in the home dir of acct, and if so, is it readable by sendmail?
Finally, if you have a generic "info" alias in /etc/aliases, it's a feature of
sendmail to store any mail with that user-prefix in the local queue of the
account responsible for all the info mails, even if the domain is not local
from your perspective. Maybe this isn't correct at the first look, but it's due
to sendmail's (local) delivery rules (look for LOCAL_MAILER and local
domains entries in your .mc file and in sendmail.cw).
> The mail to info@xxxxxxxxxxx was some search engine spam. The
> /dir/acct directory is the home directory of a non-root account, set
> up that way (home=/dir/./acct) for chroot wuftpd. Should I be worried
> about this, and if so, what can I do about it?
Btw., do you have any process/network accounting? There's a software for
accounting purposes which comes with a demon called "acct" or "acctd"...
[...]
Hope it helps.
> Cheers, Laurie.
> --
> ---------------------------------------------------------------------
> Laurie Brown
> laurie@xxxxxxxxxxxx
> PGP key at http://pgpkeys.mit.edu:11371
> ---------------------------------------------------------------------
Boris Lorenz <bolo@xxxxxxx>
---
| < Previous | Next > |