Hi, I'm using SuSE 6.4, running sendmail 8.9.3-105, on an internet-facing server. Over the weekend, I received a very strange mail to one of my accounts, the contents of which concern me. I've changed things to disguise the real server and email addresses for obvious reasons. ---- cut here ---- Return-Path: <user@thedomain.com> Received: from thedomain.com ([202.99.48.42]) by mailserver.thedomain.com (8.9.3/8.9.3) with SMTP id UAA12813 for <user@thedomain.com>; Sat, 29 Sep 2001 20:15:47 +0100 Date: Sat, 29 Sep 2001 20:15:47 +0100 From: ### THE DESCR. STRING FROM /etc/passwd!! ### <user@thedomain.com> Message-ID: <200109291915.UAA12813@mailserver.thedomain.com> Subject: OKOOÁÄÌìÊÒ£¬µÈÄãÒ»ÆðÀ´°¡£¡ X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: <d="!VlI"!m#^"!>H/"! OKOOÁÄÌìÊÒ£¬µÈÄãÒ»ÆðÀ´°¡£¡ »¶Ó¹âÁÙ http://www.okoo.net/chat ---- cut here ---- The IP address 202.99.48.42 is in the apnic range of addresses. What is strange here is as follows: The email seemed to come from a valid email address. The valid email address is in /etc/mail/virtuser on the server. The "From:" part is a direct copy of the description string from /etc/passwd which directly relates to the account pointed to for that email address in /etc/mail/virtuser on the server. The email was relayed using the mail server in question, on which these files and account reside, but the incoming IP address does not match the DNS record for that domain/machine. How did they map the email address to the /etc/mail/virtuser file to find the POP account, and then how did they extract the right decription string from /etc/passwd as the mail subject? The POP accounts, BTW, have a shell of /etc/passwd and nothing else, but there are no signs of an attempted login anyway. The sendmail log shows: Sep 29 20:15:48 mailserver sendmail[12813]: UAA12813: from=<user@thedomain.com>, size=124, class=0, pri=30124, nrcpts=1, msgid=<200109291915.UAA12813@mailserver.thedomain.comm>, proto=SMTP, relay=[202.99.48.42] Sep 29 20:15:48 mailserver sendmail[12814]: UAA12813: to=<user@thedomain.com>, ctladdr=<user@thedomain.com> (520/100), delay=00:00:01, xdelay=00:00:00, mailer=local, stat=Sent Unless I've misconfigured sendmail, I can only conclude that there is a hole that needs plugging (of which I'm unaware) in this version of sendmail. I know about the local user exploits, but there are no open accounts, and no sign of any logins. Telnet is disallowed both in /etc/inetd and at the firewall. As it happens, I'm building a new mail server now, with the latest and greatest of everything on it. However, that's a few days away. What can I do in the meantime? I've blocked that specific IP at the firewall, which may not do any good as it's probably a dial-up address. One thing that is never clear from the SuSE site, is what updates for newer versions of SuSe can be applied to earlier ones? For instance, can I apply the 8.11.0-11 RPM for 7.0 onto a 6.4 system. A lot of custiomers use this box, and I daren't risk screwing it up... Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------