Hi,
I'm using SuSE 6.4, running sendmail 8.9.3-105, on an internet-facing server.
Over the weekend, I received a very strange mail to one of my accounts, the
contents of which concern me. I've changed things to disguise the real server
and email addresses for obvious reasons.
---- cut here ----
Return-Path:
Received: from thedomain.com ([202.99.48.42]) by mailserver.thedomain.com
(8.9.3/8.9.3) with SMTP id UAA12813 for ; Sat, 29 Sep 2001
20:15:47 +0100
Date: Sat, 29 Sep 2001 20:15:47 +0100
From: ### THE DESCR. STRING FROM /etc/passwd!! ###
Message-ID: <200109291915.UAA12813@mailserver.thedomain.com>
Subject: OKOOÁÄÌìÊÒ£¬µÈÄãÒ»ÆðÀ´°¡£¡
X-Mozilla-Status: 8001
X-Mozilla-Status2: 00000000
X-UIDL: H/"!
OKOOÁÄÌìÊÒ£¬µÈÄãÒ»ÆðÀ´°¡£¡
»¶Ó¹âÁÙ http://www.okoo.net/chat
---- cut here ----
The IP address 202.99.48.42 is in the apnic range of addresses.
What is strange here is as follows:
The email seemed to come from a valid email address.
The valid email address is in /etc/mail/virtuser on the server.
The "From:" part is a direct copy of the description string from /etc/passwd
which directly relates to the account pointed to for that email address in
/etc/mail/virtuser on the server.
The email was relayed using the mail server in question, on which these files
and account reside, but the incoming IP address does not match the DNS record
for that domain/machine.
How did they map the email address to the /etc/mail/virtuser file to find the
POP account, and then how did they extract the right decription string from
/etc/passwd as the mail subject? The POP accounts, BTW, have a shell of
/etc/passwd and nothing else, but there are no signs of an attempted login
anyway.
The sendmail log shows:
Sep 29 20:15:48 mailserver sendmail[12813]: UAA12813:
from=, size=124, class=0, pri=30124, nrcpts=1,
msgid=<200109291915.UAA12813@mailserver.thedomain.comm>, proto=SMTP,
relay=[202.99.48.42]
Sep 29 20:15:48 mailserver sendmail[12814]: UAA12813:
to=, ctladdr=
(520/100), delay=00:00:01, xdelay=00:00:00, mailer=local, stat=Sent
Unless I've misconfigured sendmail, I can only conclude that there is a hole
that needs plugging (of which I'm unaware) in this version of sendmail. I know
about the local user exploits, but there are no open accounts, and no sign of
any logins. Telnet is disallowed both in /etc/inetd and at the firewall.
As it happens, I'm building a new mail server now, with the latest and greatest
of everything on it. However, that's a few days away. What can I do in the
meantime? I've blocked that specific IP at the firewall, which may not do any
good as it's probably a dial-up address.
One thing that is never clear from the SuSE site, is what updates for newer
versions of SuSe can be applied to earlier ones? For instance, can I apply the
8.11.0-11 RPM for 7.0 onto a 6.4 system. A lot of custiomers use this box, and
I daren't risk screwing it up...
Cheers, Laurie.
--
---------------------------------------------------------------------
Laurie Brown
laurie@brownowl.com
PGP key at http://pgpkeys.mit.edu:11371
---------------------------------------------------------------------