From owner-freebsd-security Mon May 21 18: 6:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id B2B8537B422 for ; Mon, 21 May 2001 18:06:32 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 5949 invoked by uid 504); 21 May 2001 18:02:02 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 21 May 2001 18:02:02 -0000 From: "Dan Graaff" To: Subject: RE: Qmail + FreeBSD 4.3 Date: Mon, 21 May 2001 18:05:41 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <20010522012857.R366@shady.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey all.. It started again.. May 21 13:19:22 euphoria /kernel: pid 1387 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 13:24:33 euphoria /kernel: pid 1515 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 15:44:16 euphoria /kernel: pid 3850 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 16:27:44 euphoria /kernel: pid 4463 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 16:36:17 euphoria /kernel: pid 4593 (vdelivermail), uid 89: exited on signal 11 (core dumped) This time I included the time :-/ Now, thats my mail server, the main webserver is getting strange IPs hitting it on SSH... I think im being attacked for sure.. May 21 15:43:24 insomnia sshd[11557]: DNS lookup failed for "216.231.201.31". May 21 15:44:08 insomnia sshd[11562]: DNS lookup failed for "216.231.201.31". May 21 15:44:09 insomnia sshd[11562]: error: ConnectionsPerPeriod has been deprecated! May 21 15:44:09 insomnia sshd[11562]: error: Could not load host key: /etc/ssh/ssh_host_key: No such file or directory May 21 15:44:09 insomnia sshd[11562]: error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key May 21 15:48:39 insomnia sshd[11575]: DNS lookup failed for "216.231.201.31". May 21 15:48:39 insomnia sshd[11575]: error: ConnectionsPerPeriod has been deprecated! May 21 15:48:39 insomnia sshd[11575]: error: Could not load host key: /etc/ssh/ssh_host_key: No such file or directory May 21 15:48:39 insomnia sshd[11575]: error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key May 21 15:51:35 insomnia sshd[11592]: DNS lookup failed for "209.133.41.29". There is no reason for people to be using SSH, or telnet! I have no non-staff shell accounts open! I THINK im being attacked and I cant figure out if they are penetrating or not.. Thanks a lot for your help, -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marc Rogers Sent: Monday, May 21, 2001 5:29 PM To: freebsd-security@freebsd.org Subject: Re: Qmail + FreeBSD 4.3 On Mon, May 21, 2001 at 12:27:34PM -0700, Dan Graaff wrote: > Hello all.. > Hello > After the recent hacking of my affiliate, I'm starting to get worried about > my own qmail boxes. One of them has had no errors for a month, now I'm > starting to get these in my root mailers: > > xxxxxxx.xxxxxxxxxxx.xxx kernel log messages: > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > Any thoughts? Help? Well it wont be the first time that a virtual domains package has had an overflow of some kind in it. Infact if memory serves me correctly this was the same virtual domains package that had a hole in it that was released to bugtraq last year. looking at the most recent version of vpopmail..... bash-2.04$ grep sprintf vdelivermail.c|wc -l 20 and a quick grep for two of the buffers found reveals.... vdelivermail.c: char tmp_buf[256]; configure:char tmpbuf[100]; I would suggest that this code has all the right conditions for a nasty buffer overflow. I havent got the time to read through it tonight, as its 1am and im too tired to be interested though. To be honest though, what you are seeing in your logs is more likely to be this code puking on something in mail, as its happening a little too frequently to be an attacker. [What sort of time lapse is there between those segfaults?] I definately wouldnt rule out the possibility though. I would seriously think about a different virtual domains package. That code looks dangerous. > > -Dan Graaff / Digital > > Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message