Please forgive the newbie question -- is there an easy way to patch Suse (7.1) all at once? The only way that I can see from the web-site is to download each patch individually. Thanks for helping! -- Matthew Dalton
In yast2 you have an option of updating online try using: 'yast2 online_update' Matthew Dalton wrote:
Please forgive the newbie question -- is there an easy way to patch Suse (7.1) all at once? The only way that I can see from the web-site is to download each patch individually. Thanks for helping!
Hi, I'm using SuSE 6.4, running sendmail 8.9.3-105, on an internet-facing server. Over the weekend, I received a very strange mail to one of my accounts, the contents of which concern me. I've changed things to disguise the real server and email addresses for obvious reasons. ---- cut here ---- Return-Path: <user@thedomain.com> Received: from thedomain.com ([202.99.48.42]) by mailserver.thedomain.com (8.9.3/8.9.3) with SMTP id UAA12813 for <user@thedomain.com>; Sat, 29 Sep 2001 20:15:47 +0100 Date: Sat, 29 Sep 2001 20:15:47 +0100 From: ### THE DESCR. STRING FROM /etc/passwd!! ### <user@thedomain.com> Message-ID: <200109291915.UAA12813@mailserver.thedomain.com> Subject: OKOOÁÄÌìÊÒ£¬µÈÄãÒ»ÆðÀ´°¡£¡ X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: <d="!VlI"!m#^"!>H/"! OKOOÁÄÌìÊÒ£¬µÈÄãÒ»ÆðÀ´°¡£¡ »¶Ó¹âÁÙ http://www.okoo.net/chat ---- cut here ---- The IP address 202.99.48.42 is in the apnic range of addresses. What is strange here is as follows: The email seemed to come from a valid email address. The valid email address is in /etc/mail/virtuser on the server. The "From:" part is a direct copy of the description string from /etc/passwd which directly relates to the account pointed to for that email address in /etc/mail/virtuser on the server. The email was relayed using the mail server in question, on which these files and account reside, but the incoming IP address does not match the DNS record for that domain/machine. How did they map the email address to the /etc/mail/virtuser file to find the POP account, and then how did they extract the right decription string from /etc/passwd as the mail subject? The POP accounts, BTW, have a shell of /etc/passwd and nothing else, but there are no signs of an attempted login anyway. The sendmail log shows: Sep 29 20:15:48 mailserver sendmail[12813]: UAA12813: from=<user@thedomain.com>, size=124, class=0, pri=30124, nrcpts=1, msgid=<200109291915.UAA12813@mailserver.thedomain.comm>, proto=SMTP, relay=[202.99.48.42] Sep 29 20:15:48 mailserver sendmail[12814]: UAA12813: to=<user@thedomain.com>, ctladdr=<user@thedomain.com> (520/100), delay=00:00:01, xdelay=00:00:00, mailer=local, stat=Sent Unless I've misconfigured sendmail, I can only conclude that there is a hole that needs plugging (of which I'm unaware) in this version of sendmail. I know about the local user exploits, but there are no open accounts, and no sign of any logins. Telnet is disallowed both in /etc/inetd and at the firewall. As it happens, I'm building a new mail server now, with the latest and greatest of everything on it. However, that's a few days away. What can I do in the meantime? I've blocked that specific IP at the firewall, which may not do any good as it's probably a dial-up address. One thing that is never clear from the SuSE site, is what updates for newer versions of SuSe can be applied to earlier ones? For instance, can I apply the 8.11.0-11 RPM for 7.0 onto a 6.4 system. A lot of custiomers use this box, and I daren't risk screwing it up... Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------
Hi, On 01-Oct-01 Laurie Brown wrote:
Hi,
I'm using SuSE 6.4, running sendmail 8.9.3-105, on an internet-facing server.
Over the weekend, I received a very strange mail to one of my accounts, the contents of which concern me. I've changed things to disguise the real server and email addresses for obvious reasons.
---- cut here ---- Return-Path: <user@thedomain.com> Received: from thedomain.com ([202.99.48.42]) by mailserver.thedomain.com (8.9.3/8.9.3) with SMTP id UAA12813 for <user@thedomain.com>; Sat, 29 Sep 2001 20:15:47 +0100 Date: Sat, 29 Sep 2001 20:15:47 +0100 From: ### THE DESCR. STRING FROM /etc/passwd!! ### <user@thedomain.com> Message-ID: <200109291915.UAA12813@mailserver.thedomain.com> Subject: OKOO�����ң�����һ�������� X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: <d="!VlI"!m#^"!>H/"!
OKOO�����ң�����һ�������� ��ӭ���� http://www.okoo.net/chat ---- cut here ----
The IP address 202.99.48.42 is in the apnic range of addresses.
the URL placed in the body (?) of this mail (www.okoo.net) also resolves to 202.99.48.42, whis seems to be a combined nameserver and mail hub . The net 202.99.48.0 - 202.99.48.255 belongs to a Chinese ISP with the name Beijing Chang Jie Communication, and the IP in question is owned by: LU, HUI (HLC299) okoo@OKOO.COM OKOO.NET Chao Yang Qu Xi Ba He Dong Li 51-4-401 BEIJING, 100028 CN 13601162260 (FAX) 13601162260 ...which seems to be some kind of travel agency (so I guess... My Mandarin is not very good - take a look at www.okoo.com yourself ;)
What is strange here is as follows:
The email seemed to come from a valid email address. The valid email address is in /etc/mail/virtuser on the server. The "From:" part is a direct copy of the description string from /etc/passwd which directly relates to the account pointed to for that email address in /etc/mail/virtuser on the server.
Hmm... The description in /etc/passwd may contain the name and/or job description of the user. If you write mail via console, the description will always be attached to the From: line (like "From: Boris Lorenz <bolo@lupa.de>).
The email was relayed using the mail server in question, on which these files and account reside, but the incoming IP address does not match the DNS record for that domain/machine.
If you refer to the mail logs of the incident printed below I cannot see where there's a non-matching IP; it says relay=[202.99.48.42], which is correct given the mail header shown above.
How did they map the email address to the /etc/mail/virtuser file to find the POP account, and then how did they extract the right decription string from /etc/passwd as the mail subject? The POP accounts, BTW, have a shell of /etc/passwd and nothing else, but there are no signs of an attempted login anyway.
? "They" did not map anything IMO. If you use the virtusertable which maps incoming mail addresses to different local/remote accounts, it will be used automagically anytime by sendmail as soon as mail arrives. Btw., there are large databases of email addresses from all over the world, who can be bought/leased by direct marketeers (read: spammers) to have a good basis for sending around their ads. It's not uncommon to get on these lists.
The sendmail log shows:
Sep 29 20:15:48 mailserver sendmail[12813]: UAA12813: from=<user@thedomain.com>, size=124, class=0, pri=30124, nrcpts=1, msgid=<200109291915.UAA12813@mailserver.thedomain.comm>, proto=SMTP, relay=[202.99.48.42]
Sep 29 20:15:48 mailserver sendmail[12814]: UAA12813: to=<user@thedomain.com>, ctladdr=<user@thedomain.com> (520/100), delay=00:00:01, xdelay=00:00:00, mailer=local, stat=Sent
Unless I've misconfigured sendmail, I can only conclude that there is a hole that needs plugging (of which I'm unaware) in this version of sendmail. I know about the local user exploits, but there are no open accounts, and no sign of any logins. Telnet is disallowed both in /etc/inetd and at the firewall.
As it happens, I'm building a new mail server now, with the latest and greatest of everything on it. However, that's a few days away. What can I do in the meantime? I've blocked that specific IP at the firewall, which may not do any good as it's probably a dial-up address.
Well... The whole thing reeks of spam, with a non-Western ISO code. There are some ways for an attacker (particularly via .forward files) to get hold of files like /etc/passwd or /etc/shadow, but such mails would not show up on the account which had been used to illegally obtain the passwd or shadow, at least this would not be plausible since the admin (you) would be informed right away that there's something wrong. Do you have any other logs/IDS to back up the incident?
One thing that is never clear from the SuSE site, is what updates for newer versions of SuSe can be applied to earlier ones? For instance, can I apply the 8.11.0-11 RPM for 7.0 onto a 6.4 system. A lot of custiomers use this box, and I daren't risk screwing it up...
Just don't do that. Perform a complete update to a newer version, or else get the sendmail tarball from sendmail.org and compile it yourself.
Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------
Boris Lorenz <bolo@lupa.de> ---
Boris Lorenz wrote:
Hi,
On 01-Oct-01 Laurie Brown wrote:
Hi,
I'm using SuSE 6.4, running sendmail 8.9.3-105, on an internet-facing server.
[SNIP]
The IP address 202.99.48.42 is in the apnic range of addresses.
the URL placed in the body (?) of this mail (www.okoo.net) also resolves to 202.99.48.42, whis seems to be a combined nameserver and mail hub . The net 202.99.48.0 - 202.99.48.255 belongs to a Chinese ISP with the name Beijing Chang Jie Communication, and the IP in question is owned by:
[SNIP] Thanks. I'll block that whole subnet at the firewall... [SNIP]
The email seemed to come from a valid email address. The valid email address is in /etc/mail/virtuser on the server. The "From:" part is a direct copy of the description string from /etc/passwd which directly relates to the account pointed to for that email address in /etc/mail/virtuser on the server.
Hmm... The description in /etc/passwd may contain the name and/or job description of the user. If you write mail via console, the description will always be attached to the From: line (like "From: Boris Lorenz <bolo@lupa.de>).
I have never used that account at CLI to send email, it has no shell access to the server. Mail to and from the username concerned is done remotely using POP3 and the relevant ISP's server as a relay.
The email was relayed using the mail server in question, on which these files and account reside, but the incoming IP address does not match the DNS record for that domain/machine.
If you refer to the mail logs of the incident printed below I cannot see where there's a non-matching IP; it says relay=[202.99.48.42], which is correct given the mail header shown above.
I think we're at cross-purposes here: I regularly receive emails from other people with full headers and so on. What is different about this one is that it has no headers other than those from my own server, it appears to come from my own email address yet has an IP address which is nothing to do with me. Further, the subject of the email contained the very string from the /etc/passwd file which relates to the POP box on the server, not the username. The only link between the pop box and the username is the virtuser db. If the mail had followed the usual route, it would have headers and such like, even with a spoofed email address (which often happens).
How did they map the email address to the /etc/mail/virtuser file to find the POP account, and then how did they extract the right decription string from /etc/passwd as the mail subject? The POP accounts, BTW, have a shell of /etc/passwd and nothing else, but there are no signs of an attempted login anyway.
? "They" did not map anything IMO. If you use the virtusertable which maps incoming mail addresses to different local/remote accounts, it will be used automagically anytime by sendmail as soon as mail arrives.
Sure, but how in this case? It appears that the email originated on my own box, not from outside. I have never received an email where the subject come from my own /etc/passwd file for a non-privileged user with no shell access. How can a remote IP send me an email which appears to come from my own email address, using my own sendmail server, pulling the description text from the /etc/passwd file of an account which is only linked to my email adress via the virtuser db? I have relaying and suchlike blocked/allowed using the access db. I am confused!
Btw., there are large databases of email addresses from all over the world, who can be bought/leased by direct marketeers (read: spammers) to have a good basis for sending around their ads. It's not uncommon to get on these lists.
I know! I'm on enough of them! Thank goodness for the access db file! [SNIP]
Well... The whole thing reeks of spam, with a non-Western ISO code. There are some ways for an attacker (particularly via .forward files) to get hold of
No .forward files are in place... The /home/username directory is empty.
files like /etc/passwd or /etc/shadow, but such mails would not show up on the account which had been used to illegally obtain the passwd or shadow, at least this would not be plausible since the admin (you) would be informed right away that there's something wrong.
Nothing found, no evidence whatsoever.
Do you have any other logs/IDS to back up the incident?
Nothing shows, I've been through the lot. Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------
participants (4)
-
Boris Lorenz -
Laurie Brown -
Magnus Hagebris -
Matthew Dalton