RE: [suse-security] Security problem with sendmail?

Hi, On 26-Nov-01 Laurie Brown wrote:

Hi all,

The log-checking script on one of the machines I look after has picked this up [edited to avoid giving too much away]:

---- cut here ---- Nov 26 07:31:39 mymachine sendmail[16970]: HAA16970: from=, size=1860, class=0, pri=31860, nrcpts=1, msgid=, proto=ESMTP, relay=[66.78.13.34]

Nov 26 07:31:39 mymachine sendmail[16971]: HAA16970: forward /dir/acct/.//.forward: Permission denied

Nov 26 07:31:39 mymachine sendmail[16971]: HAA16970: to=, delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent ---- cut here ----

Since the system host.bwhst.com belongs to a company called "BestWebHost.com", I guess the mail with the sender address nobody@host.bwhst.com is UBE/spam, sent either by the owner(s) and/or user(s) of the domain itself, or by some remote Spammers who abused a crappy formmail.pl installation. Since they are running a Apache 1.3.17 (www.bestwebhost.com, which often runs as nobody or wwwrun), all this seems plausible, tho it's a guess. Sendmail's complaints about insufficient perms (2nd line of your log) don't fit into this, however. Did you ever send mail with that acct account? Is there a .forward file in the home dir of acct, and if so, is it readable by sendmail? Finally, if you have a generic "info" alias in /etc/aliases, it's a feature of sendmail to store any mail with that user-prefix in the local queue of the account responsible for all the info mails, even if the domain is not local from your perspective. Maybe this isn't correct at the first look, but it's due to sendmail's (local) delivery rules (look for LOCAL_MAILER and local domains entries in your .mc file and in sendmail.cw).

The mail to info@adomain.com was some search engine spam. The /dir/acct directory is the home directory of a non-root account, set up that way (home=/dir/./acct) for chroot wuftpd. Should I be worried about this, and if so, what can I do about it?

Btw., do you have any process/network accounting? There's a software for accounting purposes which comes with a demon called "acct" or "acctd"... [...] Hope it helps.

Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------

Boris Lorenz ---