On Fri, 16 Jun 2006, Daniel Jarboe wrote:
>> >Again, the fact that you had postfix listening on an external
>> >interface (and presumably not firewalled)
>>
>> The router should have taken care of that. I sw other ports forwarded to
>> this machine (81->80 for HTTP and 22->22 for SSH), but not 25 or any
>> others.
>
> In that case there might be more to this. You can telnet to port 25
> on the external interface of your router to be sure it's dropped or
> rejected.
eben@pc:~$ telnet royalty.no-ip.org 25
Trying 72.64.xxx.xxx...
(long pause)
telnet: Unable to connect to remote host: Connection timed out
Not like you can't get the address very easily...
But anyhow, I'd say there's no hole there, at least not now. Don't think
there ever was, unless the router was compromised.
>> Where do I look for that? AFAIC, restricting the outgoing mail
>> destinations to localhost and outgoing.verizon.net is fine.
>
> In postfix you may want to specify the mynetworks parameter, and have
> your smtpd_recipient_restrictions set to
> permit_mynetworks,check_relay_domains or similar. I'd search for the
> howto's to do it right... these kinds of configuration tend to be set
> up and fugedaboudit.
Heh. that's been my experience with a number of things...
> That being said, if it's truly a local attack then you are in for a
> bigger fight.
I'm thinking somebody from 68.100.197.0/24 logged in by SSH (there was an
entry in /etc/hosts.allow, but I don't know how it got there) after doing a
dictionary attack to break one of the three non-root accounts (root can't
log in by SSH), and then sent mail. The only proof of this I have is the
entry in /etc/hosts.allow (removed), and the fact that I caught someone
doing a dictionary attack against root by SSH a while back (don't remember
his address though).
At least now there are only a few ways in. Possibly thttpd has a hole I
don't know about. (That's one reason I use it instead of Apache -- ease of
leak-finding.) Know where I should look for an updated openssh? It says
this: "OpenSSH_4.1p1 Debian-7ubuntu4, OpenSSL 0.9.7g 11 Apr 2005". Synaptic
says I have the most recent version, but I don't trust it.
> Anything interesting in your mail log when this started?
This seems to be the first oddity:
Jun 10 18:48:55 pc postfix/smtpd[25558]: connect from localhost.localdomain[127.0.0.1]
Jun 10 18:48:55 pc postfix/smtpd[25558]: 6F0E45ACEB: client=localhost.localdomain[127.0.0.1]
Jun 10 18:48:55 pc postfix/cleanup[25561]: 6F0E45ACEB: message-id=<Pine.LNX.4.64.0606101848260.23272@pc.tampabay.rr.com> Jun 10 18:48:55 pc postfix/qmgr[6162]: 6F0E45ACEB: from=<eben01@verizon.net>, size=1396, nrcpt=1 (queue active)
Jun 10 18:48:55 pc postfix/local[25562]: 6F0E45ACEB: to=<eben@localhost>, relay=local, delay=0, status=bounced (Command died with status 2: "IFS='". Command output: sh: -c: line 0: unexpected EOF while looking for matching `'' sh: -c: line 1: syntax error: unexpected end of file )
Jun 10 18:48:55 pc postfix/local[25562]: 6F0E45ACEB: to=<eben@localhost>, relay=local, delay=0, status=bounced (cannot append message to destination file /usr/bin/procmail: cannot open file: Permission denied)
Jun 10 18:48:55 pc postfix/local[25562]: 6F0E45ACEB: to=<eben@localhost>, relay=local, delay=0, status=sent (forwarded as 8397B5AEC0)
Jun 10 18:48:55 pc postfix/qmgr[6162]: 6F0E45ACEB: removed
which became
Jun 10 18:48:55 pc postfix/cleanup[25561]: 8397B5AEC0: message-id=<Pine.LNX.4.64.0606101848260.23272@pc.tampabay.rr.com>
Jun 10 18:48:55 pc postfix/qmgr[6162]: 8397B5AEC0: from=<eben01@verizon.net>, size=1508, nrcpt=6 (queue active)
Jun 10 18:48:55 pc postfix/qmgr[6162]: 8397B5AEC0: to=<-f-||exit@ubuntu.rr.com>, orig_to=<eben@localhost>, relay=none, delay=0, status=bounced (invalid recipient syntax: "-f-||exit@ubuntu.rr.com")
Jun 10 18:48:55 pc postfix/local[25562]: 8397B5AEC0: to=<&&@ubuntu.rr.com>, orig_to=<eben@localhost>, relay=local, delay=0, status=bounced (unknown user: "&&")
Jun 10 18:48:55 pc postfix/local[25566]: 8397B5AEC0: to=<#eben@ubuntu.rr.com>, orig_to=<eben@localhost>, relay=local, delay=0, status=bounced (unknown user: "#eben")
Jun 10 18:48:55 pc postfix/local[25567]: 8397B5AEC0: to=<75@ubuntu.rr.com>, orig_to=<eben@localhost>, relay=local, delay=0, status=bounced (unknown user: "75")
(long lines are more understandable IMO than wrapped lines)
So apparently whoever it was put some code in which tried to parse
~/.forward, and didn't do a very good job, because it barfed on the code in
http://wiki.apache.org/spamassassin/UsedViaProcmail .
-- -eben QebWenE01R@vTerYizUonI.nOetP http://royalty.no-ip.org:81Hanlon's Razor: "Never attribute to malice that which can be adequately explained by stupidity." Derived from Robert Heinlein ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:10:36 EDT