Re: [SLUG] attacked!

• Next message: aaron steimle: "Re: [SLUG] attacked!"
• Previous message: Daniel Jarboe: "Re: Re: [SLUG] attacked!"
• Maybe in reply to: Eben King: "[SLUG] attacked!"
• Next in thread: Levi Bard: "Re: [SLUG] attacked!"
• Reply: Levi Bard: "Re: [SLUG] attacked!"
• Reply: Daniel Jarboe: "Re: [SLUG] attacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From: Daniel Jarboe <daniel.jarboe@gmail.com>
>Date: Fri Jun 16 12:58:58 CDT 2006
>To: slug@nks.net
>Subject: Re: Re: [SLUG] attacked!

>> if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
>> sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
>> chmod a+r etc/passwd
>> fi
>
>I think this has something to do with postfix creating a local copy of
>/etc/passwd for itself in certain configurations. Its working
>directory at this point in the init script isn't likely to be /. It's
>more likely to be /var/spool/postfix/ or similar.

Ah yes, I missed that the resulting file is etc/passwd, not /etc/passwd.
Never mind then.

>Again, the fact that you had postfix listening on an external
>interface (and presumably not firewalled)

The router should have taken care of that. I sw other ports forwarded to
this machine (81->80 for HTTP and 22->22 for SSH), but not 25 or any others.

>is pointing to postfix
>misconfiguration (open relay) rather than some more
>sinister/interesting attack vector.

Where do I look for that? AFAIC, restricting the outgoing mail destinations
to localhost and outgoing.verizon.net is fine. There should be no such mail
anyhow, unless /bin/mail uses the MTA. I've already changed the interfaces
it listens on from "all" to "lo", but I'll check that before I run it. I
also changed my password. There's one other guy who can log in remotely according to /etc/shadow; I'll get him to do the same.

I did see config files for exim hanging around. Those could conceivably have
arrived when I was running through MTAs to see what worked with fetchmail
as-is.

-- 
-eben    ebQenW1@EtaRmpTabYayU.rIr.OcoPm    home.tampabay.rr.com/hactar
      My parents went to a planet where the inhabitants have no
      bilateral symmetry, and all I got was this lousy F-shirt.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS).  Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.

• Next message: aaron steimle: "Re: [SLUG] attacked!"
• Previous message: Daniel Jarboe: "Re: Re: [SLUG] attacked!"
• Maybe in reply to: Eben King: "[SLUG] attacked!"
• Next in thread: Levi Bard: "Re: [SLUG] attacked!"
• Reply: Levi Bard: "Re: [SLUG] attacked!"
• Reply: Daniel Jarboe: "Re: [SLUG] attacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:10:10 EDT