July 2004 - openSUSE Security - openSUSE Mailing Lists

Re: [suse-security] Strange log: apache succesfull access
by lists＠kar.eclipse.co.uk 02 Jul '04

02 Jul '04

This may help you Manuel: http://cert.uni-stuttgart.de/archive/suse/security/2004/02/msg00406.html http://cert.uni-stuttgart.de/archive/suse/security/2004/02/msg00412.html *** On Fri, 2 Jul 2004, Manuel [iso-8859-15] Balderrábano wrote: > To: suse-security(a)suse.com > From: "Manuel [iso-8859-15] Balderrábano" <garibolo(a)wanadoo.es> > Subject: [suse-security] Strange log: apache succesfull access > > Hi, list. > I have just seen this strange entrys in my apache logs: > > > ... > 203.86.166.95 - - [29/Jun/2004:03:45:42 +0200] "CONNECT 205.158.62.146:25 HTTP/1.0" 200 8307 > 203.86.166.95 - - [29/Jun/2004:03:45:55 +0200] "PUT http://205.158.62.146:25/ HTTP/1.0" 200 8307 > 203.86.166.95 - - [29/Jun/2004:03:45:56 +0200] "POST http://205.158.62.146:25/ HTTP/1.0" 200 8307 > 217.34.125.65 - - [29/Jun/2004:19:10:27 +0200] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 8307 > ... > 213.4.22.177 - - [30/Jun/2004:21:05:44 +0200] "POST http://194.224.58.61:25/ HTTP/1.0" 200 8307 > 213.4.22.177 - - [30/Jun/2004:21:56:04 +0200] "PUT http://194.224.58.61:25/ HTTP/1.0" 200 8307 > > They were all succesfull!!!! Check out the above two links Manuel!

1 0

RE: [suse-security] postfix - amavisd-new - clamav
by Cristian Del Carlo 02 Jul '04

02 Jul '04

it is ok .... i think. I control so : cristian:/var/run # pgrep clamd 8924 cristian:/var/run # ps -aef | grep clam vscan 8924 1 0 16:39 ? 00:00:00 clamd root 9182 6965 0 17:38 pts/38 00:00:00 grep clam Thanks, On Jul 01, 2004 05:33 PM, Gilles Chung <gchung(a)aew.com> wrote: > Ok, what about clamd? Is it running? > And another question what is the user running clam daemon?? > > Regards > Gilles > > -----Original Message----- > From: Cristian Del Carlo [mailto:delcarlo@osratoscana.it] > Sent: Thursday, July 01, 2004 11:22 AM > To: Gilles Chung > Cc: suse-security(a)suse.com > Subject: RE: [suse-security] postfix - amavisd-new - clamav > > No , > becouse if i run the netstat command i have : > > cristian:/var/run # netstat -ntap > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name > tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 8974/amavisd (maste > tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 8661/master > > And if i use telnet i have the connection : > > cristian:/var/run # telnet localhost 10024 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 [127.0.0.1] ESMTP amavisd-new service ready > > > On Jul 01, 2004 05:10 PM, Gilles Chung <gchung(a)aew.com> wrote: > > > Hi > > Could it be amavisd not running?? > > It seems you cannot connect to localhost via 10024 > > > > Jul 1 16:46:43 localhost postfix/smtp[9016]: connect to localhost[::1]: > > Connection refused (port 10024) > > Jul 1 16:46:45 localhost amavis[8976]: (08976-01) ESMTP::10024 > > /var/spool/amavis/amavis-20040701T164644 > > -08976: <cristian2(a)cristian.lucca.osratoscana.it> -> > > <cristian.delcarlo(a)osratoscana.it> Received: SIZE=1 > > > > Gilles > > > > > > Cristian Del Carlo > delcarlo(a)osratoscana.it > Tel. 0583 424700 > Fax 0583 424750 > http://www.osratoscana.it > > Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione. > > Cristian Del Carlo delcarlo(a)osratoscana.it Tel. 0583 424700 Fax 0583 424750 http://www.osratoscana.it Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione.

2 1

AW: [suse-security] Filter out bad emails
by Rasp, Robert 02 Jul '04

02 Jul '04

Hello, i know about the patch. This patch only helps, if qmail is used as server. I use qmail as relay and virus-protection. The unwonted mails came from our own Exchange-Server. Because he wants to tell the (not existing) sender about a not existing emailadress. CU Robert -----Ursprungliche Nachricht----- Von: Theo v. Werkhoven [mailto:twe-suse.sec@ferrets4me.xs4all.nl] Gesendet: Donnerstag, 1. Juli 2004 23:18 An: suse-security(a)suse.com Betreff: Re: [suse-security] Filter out bad emails On Thu, 01 Jul 2004, Rasp, made the net somewhat safer by saying: > Hello, > > i use qmail with spamassassin and qmail-scanner. > As you all know, most of the spamers generate emailadresse by them mself and try to deliver ther sh** to the "new recepient". > > The LINUX-Box is only our relay. In the back is a Exchange-Server working. > The EX-Server trys to answers to the non existent mailadress of the spammer. > Spamassassin has already markted this mails as spam. > How can i use MAILDROP (or someting else) to kill this mails. Qmail can be patched to reject unknown recipients. Postfix or Sendmail or Exim don't need patching, and do this of-the-shelve. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 27N , 4 29 45E. + ICQ: 277217131 SUSE 9.1 + Jabber: gurp(a)nedlinux.nl Kernel k_athlon-2.6.4 + MSN: twe-msn(a)ferrets4me.xs4all.nl See headers for PGP/GPG info. +

2 1

RE: [suse-security] postfix - amavisd-new - clamav
by Cristian Del Carlo 02 Jul '04

02 Jul '04

No , becouse if i run the netstat command i have : cristian:/var/run # netstat -ntap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 8974/amavisd (maste tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 8661/master And if i use telnet i have the connection : cristian:/var/run # telnet localhost 10024 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 [127.0.0.1] ESMTP amavisd-new service ready On Jul 01, 2004 05:10 PM, Gilles Chung <gchung(a)aew.com> wrote: > Hi > Could it be amavisd not running?? > It seems you cannot connect to localhost via 10024 > > Jul 1 16:46:43 localhost postfix/smtp[9016]: connect to localhost[::1]: > Connection refused (port 10024) > Jul 1 16:46:45 localhost amavis[8976]: (08976-01) ESMTP::10024 > /var/spool/amavis/amavis-20040701T164644 > -08976: <cristian2(a)cristian.lucca.osratoscana.it> -> > <cristian.delcarlo(a)osratoscana.it> Received: SIZE=1 > > Gilles > Cristian Del Carlo delcarlo(a)osratoscana.it Tel. 0583 424700 Fax 0583 424750 http://www.osratoscana.it Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione.

2 1

Vacation and out of office autoresponders
by Carlos E. R. 02 Jul '04

02 Jul '04

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I got not less than 5 autoresponses from vacation type programs for a single message I posted to this list, on the "Execute a SSH command" thread. Is that the normal behaviour normal here? I don't understand how people interested on security can be so careless with autoresponders :-/ :-O These are the culprits - I name them so that they can know what is happening, if they really read the list: 1) t.foecking#kreis-borken.de robin1.listas#tiscali.es betreff Mailer Dämon - Unknown User Die Nachricht an t.foecking#kreis-borken.de konnte nicht zugestellt werden. Der Empfänger ist hier unbekannt. (I know no german, so I have no idea what they are telling me) 2) ig-relacionamento#ig.com.br Caro(a) cliente, Agradecemos sua mensagem e continuamos trabalhando para oferecer um atendimento cada vez melhor. (I'm not their client!) 3) postmaster#mavari.be Subject: Delivery Status Notification (Failure)+AFs-Scanned+AF0- Message, "Re: [suse-security] Execute a SSH command[Scanned]" Delivery to the following recipients failed. postmaster#mavari.be (a postmaster on the list, as such "postmaster"?) 4) From: suporte#hpg.com.br Subject: Re: Re: [suse-security] Execute a SSH command Olá, Recebemos seu email e logo entraremos em contato via e-mail. Por favor, aguarde. (another one confusing me for a customer, I guess - I know no portuguese) 5) From: Stefan Orth <SORTH#de.ibm.com> Subject: Stefan Orth/Germany/IBM is out of the office. I will be out of the office starting 26.06.2004 and will not return until04.07.2004. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFA40gQtTMYHG2NR9URAu1QAJ9raU5SykhtKTS6V1Lwoz6gix39SwCdEP3w 3P35IB0BF1MM81GXAXiAw0U= =xtjc -----END PGP SIGNATURE-----

4 5

Filter out bad emails
by Rasp, Robert 01 Jul '04

01 Jul '04

Hello, i use qmail with spamassassin and qmail-scanner. As you all know, most of the spamers generate emailadresse by them mself and try to deliver ther sh** to the "new recepient". The LINUX-Box is only our relay. In the back is a Exchange-Server working. The EX-Server trys to answers to the non existent mailadress of the spammer. Spamassassin has already markted this mails as spam. How can i use MAILDROP (or someting else) to kill this mails. Because this mails make my queue on the qmail-Server grow and grow ... Its not allowed to me to drop all mails marked as spam. But its allowed to drop mails, marked as spam which are send from our own Postmaster. thanks for your Help Robert Rasp

2 1

amavis, message has been quarantined
by Emiliano Sutil 01 Jul '04

01 Jul '04

Hello I have postfix with amavis as mail server. I have received an email that amavis has rejected and send me an email with this information The message has been quarantined as: /var/spool/amavis/virusmails/virus-20040701-160935-20728-10 Now I want to get this message, How I can do that? Thanks Emiliano Sutil

2 1

postfix - amavisd-new - clamav
by Cristian Del Carlo 01 Jul '04

01 Jul '04

Hi, i have tried to configure postfix with amavis-new and clamav , but clamav doesn't scan te mail. This is my configuration in /etc/postfix/main.cf : content_filter = smtp-amavis:[127.0.0.1]:10024 And in /etc/postfix/master.cf : smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 localhost:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 Amavisd-new is so configured : ..... @av_scanners = ( ['Clam Antivirus-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.ctl"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], ); .... My /etc/clamav.conf is so sonfigured : LogFile /var/log/clamd.log LogFileMaxSize 2M LogSyslog LogFacility LOG_MAIL LogVerbose PidFile /var/run/clamd.pid DatabaseDirectory /usr/share/clamav LocalSocket /var/run/clamd.ctl MaxThreads 12 ReadTimeout 180 MaxDirectoryRecursion 15 User vscan ScanOLE2 ScanMail ScanArchive ArchiveMaxFileSize 10M ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxCompressionRatio 200 ClamukoScanOnOpen ClamukoScanOnClose ClamukoScanOnExec ClamukoIncludePath /home ClamukoMaxFileSize 1M ClamukoScanArchive When i send a mail in /var/log/mail i have the following messages : Jul 1 16:46:43 localhost postfix/smtp[9016]: connect to localhost[::1]: Connection refused (port 10024) Jul 1 16:46:45 localhost amavis[8976]: (08976-01) ESMTP::10024 /var/spool/amavis/amavis-20040701T164644 -08976: <cristian2(a)cristian.lucca.osratoscana.it> -> <cristian.delcarlo(a)osratoscana.it> Received: SIZE=1 370 BODY=8BITMIME from cristian.lucca.osratoscana.it ([127.0.0.1]) by localhost (cristian.lucca.osratosc ana.it [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08976-01 for <cristian.delcarlo@osratoscana. it>; Thu, 1 Jul 2004 16:46:45 +0200 (CEST) Jul 1 16:46:46 localhost amavis[8976]: (08976-01) Checking: <cristian2(a)cristian.lucca.osratoscana.it> - > <cristian.delcarlo(a)osratoscana.it> Jul 1 16:46:56 localhost amavis[8976]: (08976-01) spam_scan: hits=0 tests= Jul 1 16:46:57 localhost amavis[8976]: (08976-01) FWD via SMTP: [127.0.0.1]:10025 <cristian2(a)cristian.l ucca.osratoscana.it> -> <cristian.delcarlo(a)osratoscana.it> Jul 1 16:46:58 localhost postfix/smtpd[9025]: connect from localhost[127.0.0.1] Jul 1 16:46:58 localhost postfix/smtpd[9025]: 9EAE82E5AE: client=localhost[127.0.0.1] Jul 1 16:46:58 localhost postfix/cleanup[9013]: 9EAE82E5AE: message-id=<20040701.DVZ.53753800@cristian. lucca.osratoscana.it> Jul 1 16:46:59 localhost postfix/smtpd[9025]: disconnect from localhost[127.0.0.1] Jul 1 16:46:59 localhost amavis[8976]: (08976-01) Passed, <cristian2(a)cristian.lucca.osratoscana.it> -> <cristian.delcarlo(a)osratoscana.it>, Message-ID: <20040701.DVZ.53753800(a)cristian.lucca.osratoscana.it>, Hits: 0 Jul 1 16:46:59 localhost amavis[8976]: (08976-01) TIMING [total 15754 ms] - SMTP EHLO: 153 (1%), SMTP pre-MAIL: 0 (0%), mkdir tempdir: 662 (4%), create email.txt: 250 (2%), SMTP pre-DATA-flush: 282 (2%), SMTP DATA: 248 (2%), body hash: 338 (2%), mkdir parts: 377 (2%), mime_decode: 1072 (7%), get-file-type: 1726 (11%), get-file-type: 98 (1%), decompose_part: 277 (2%), decompose_part: 512 (3%), get-file-type: 20 (0%), decompose_part: 1 (0%), parts: 0 (0%), SA msg read: 479 (3%), SA parse: 162 (1%), SA check: 6067 (39%), fwd-connect: 1581 (10%), fwd-mail-from: 52 (0%), fwd-rcpt-to: 438 (3%), write-header: 49 (0%), fwd-data: 0 (0%), fwd-data-end: 682 (4%), fwd-rundown: 1 (0%), unlink-2-files: 224 (1%), rundown: 0 (0%) Jul 1 16:46:59 localhost postfix/smtp[9016]: C33DE2E5AD: to=<cristian.delcarlo(a)osratoscana.it>, relay=localhost[127.0.0.1], delay=18, status=sent (250 2.6.0 Ok, id=08976-01, from MTA: 250 Ok: queued as 9EAE82E5AE) Jul 1 16:47:00 localhost postfix/qmgr[8674]: 9EAE82E5AE: from=<cristian2(a)cristian.lucca.osratoscana.it>, size=1822, nrcpt=1 (queue active) Jul 1 16:47:00 localhost postfix/qmgr[8674]: C33DE2E5AD: removed Where is the mistake ? Best regards, Cristian Del Carlo delcarlo(a)osratoscana.it Tel. 0583 424700 Fax 0583 424750 http://www.osratoscana.it Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione.

2 3

Found file in /dev: "h"
by Manfred Rebentisch 01 Jul '04

01 Jul '04

Hello, I found a normal file in /dev: "h" on one of my servers: # ls -al /dev/h -rw-r--r-- 1 root root 446 Feb 19 14:17 /dev/h It contains the following text between binary code: Invalid partition table^@No operating system^@Error loading operating system Is this from a rootkit or normal to SuSE 9.0? Thank you for an answer. Manfred

7 12

Re: [suse-security] Waiting for device /dev/900 to appear
by Werner Penz 01 Jul '04

01 Jul '04

...you mean "experimental on 2.6.x kernel" OK, but switching back is not as easy (for me) as ist sounds ( firewall etc) anyway...... i NEVER put a root on a RAID. I reinstalled the same box, just leaving / on a normal partition (ext3) and all works fine..... and hoping the harddisk wont fail until my backup is done ! ...a frustrated Linux User ! > Raid is kind a experimental on 2.4.x kernels, better chose 2.4.x kernel. > > Uninstall kernel 2.6.x, then install kernel 2.4.x (x means latest one). Then > start lilo or change settings within grub. > > Afterwards reboot - not before the installation of kernel 2.4.x (otherwise > you cannot load any kernelmodules and that would be not funny)!!! > > Philippe > ----- Original Message ----- > From: "Werner Penz" <dev.penz(a)tirol.com> > To: <suse-security(a)suse.com> > Sent: Wednesday, June 30, 2004 5:21 PM > Subject: [suse-security] Waiting for device /dev/900 to appear > > > > OK, id did a complete new installation (same box) > > with the same disk-configuration: > > > > /dev/hda2 + /dev/hdb2 als raid1: /dev/md0 = / #root (ext3) > > /dev/hda1 = /boot > > > > from original CD SuSe 91prof. > > minimal System installed. > > > > all works fine until i upgrade the kernel 2.6.4 to 2.6.5 from > > the ftp.suse.com with YOU. > > > > The boot aborts with: > > > > raidautorun > > ... > > waiting for device /dev/900 to appear ...(short delay ) .... not found.... > > > > > > RAIDs never saved me from a "dilemma", > > for me, the always created one ! > > > > > > > > > > > > > > > > -- > > Check the headers for your unsubscription address > > For additional commands, e-mail: suse-security-help(a)suse.com > > Security-related bug reports go to security(a)suse.de, not here > > > > >

2 1