Re: [slug] [SLUG] Open mail relay?

From: Aharon (aharon@superfreeway.com)
Date: Tue Jun 05 2001 - 13:45:06 EDT


Actually, this is quite confusing. The only services I have on are the
ones listed below that state as "open" ...

Services that are on:
ftp
telnet <-Incoming only
smtp
whois <-Out bound only
domain
http
auth

All the other services like irc, ars fileserver, and imap are off.
infact, I dont even have an irc server on the system. Try to connect to
port 6666, it isnt even responding.. Maybe these are just funny results
from nmap??

Aharon

 On Tue, 5 Jun 2001, herrold wrote:

> On Tue, 5 Jun 2001, Aharon wrote:
>
> > Another thing I have noticed is that all the bounced messages are going to
> > nobody@superfreeway.com ... The only processes which run as nobody is
> > httpd. But, this may be standard if sendmail has no idea where to send
> > the bounce message.
>
> Dollars to doughnuts, you or one of your users is running the Matt
> Script Archive formmail ... there is a script vulnerabiility which
> allows you to be sed as a relay -- and then the RBL got you.
>
> There is a domain check, and if the referred variable is NULL, it
> ALLOWS the post -- so the script needs to have that path removed. I
> had the misfortune of discovering that a end user had installed the
> script (unsafely), and opened a host at a site I admin
> professionally.
>
> -- Russ
>
> ------------------
>
> That host is also offering an awful lot of services. Is that
> intentional?
>
> [herrold@swampfox herrold]$ nmap mail.superfreeway.com
>
> Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com,
> www.insecure.org/nmap/)
> Interesting ports on (63.140.74.37):
> (Ports scanned but not shown below are in state: filtered)
> Port State Protocol Service
> 21 open tcp ftp
> 23 open tcp telnet
> 25 open tcp smtp
> 43 unfiltered tcp whois
> 53 open tcp domain
> 80 open tcp http
> 110 open tcp pop-3
> 113 open tcp auth
> 143 unfiltered tcp imap2
> 443 unfiltered tcp https
> 6666 unfiltered tcp irc-serv
> 6667 unfiltered tcp irc
> 6668 unfiltered tcp irc
> 7000 unfiltered tcp afs3-fileserver
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 313 seconds
> [herrold@swampfox herrold]$ telnet mail.superfreeway.com ftp
>
>

-- 
vgextend /dev/myself /dev/nichole /dev/sarah /dev/misty /dev/julie
"I extend myself over many women - Aharon"

Unix Administrator Tampa, Florida

Websites: http://www.tamparacing.com http://www.ls6.com http://www.lastgen.com



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:56:49 EDT