Date: Mon, 21 May 2001 18:05:41 -0700 From: "Dan Graaff" <subscribed@de-net.org> To: <freebsd-security@freebsd.org> Subject: RE: Qmail + FreeBSD 4.3 Message-ID: <INECLODDPGBFIAKPNFKHGENMCBAA.subscribed@de-net.org> In-Reply-To: <20010522012857.R366@shady.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey all..
It started again..
May 21 13:19:22 euphoria /kernel: pid 1387 (vdelivermail), uid 89: exited on
signal 11 (core dumped)
May 21 13:24:33 euphoria /kernel: pid 1515 (vdelivermail), uid 89: exited on
signal 11 (core dumped)
May 21 15:44:16 euphoria /kernel: pid 3850 (vdelivermail), uid 89: exited on
signal 11 (core dumped)
May 21 16:27:44 euphoria /kernel: pid 4463 (vdelivermail), uid 89: exited on
signal 11 (core dumped)
May 21 16:36:17 euphoria /kernel: pid 4593 (vdelivermail), uid 89: exited on
signal 11 (core dumped)
This time I included the time :-/
Now, thats my mail server, the main webserver is getting strange IPs hitting
it on SSH... I think im being attacked for sure..
May 21 15:43:24 insomnia sshd[11557]: DNS lookup failed for
"216.231.201.31".
May 21 15:44:08 insomnia sshd[11562]: DNS lookup failed for
"216.231.201.31".
May 21 15:44:09 insomnia sshd[11562]: error: ConnectionsPerPeriod has been
deprecated!
May 21 15:44:09 insomnia sshd[11562]: error: Could not load host key:
/etc/ssh/ssh_host_key: No such file or directory
May 21 15:44:09 insomnia sshd[11562]: error: Could not load DSA host key:
/etc/ssh/ssh_host_dsa_key
May 21 15:48:39 insomnia sshd[11575]: DNS lookup failed for
"216.231.201.31".
May 21 15:48:39 insomnia sshd[11575]: error: ConnectionsPerPeriod has been
deprecated!
May 21 15:48:39 insomnia sshd[11575]: error: Could not load host key:
/etc/ssh/ssh_host_key: No such file or directory
May 21 15:48:39 insomnia sshd[11575]: error: Could not load DSA host key:
/etc/ssh/ssh_host_dsa_key
May 21 15:51:35 insomnia sshd[11592]: DNS lookup failed for "209.133.41.29".
There is no reason for people to be using SSH, or telnet! I have no
non-staff shell accounts open!
I THINK im being attacked and I cant figure out if they are penetrating or
not..
Thanks a lot for your help,
-Dan Graaff / Digital
The DE-Network
-----Original Message-----
From: owner-freebsd-security@FreeBSD.ORG
[mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marc Rogers
Sent: Monday, May 21, 2001 5:29 PM
To: freebsd-security@freebsd.org
Subject: Re: Qmail + FreeBSD 4.3
On Mon, May 21, 2001 at 12:27:34PM -0700, Dan Graaff wrote:
> Hello all..
>
Hello
> After the recent hacking of my affiliate, I'm starting to get worried
about
> my own qmail boxes. One of them has had no errors for a month, now I'm
> starting to get these in my root mailers:
>
> xxxxxxx.xxxxxxxxxxx.xxx kernel log messages:
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped)
> > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped)
> > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped)
<SNIP>
>
> Any thoughts? Help?
Well it wont be the first time that a virtual domains package has had
an overflow of some kind in it. Infact if memory serves me correctly
this was the same virtual domains package that had a hole in it that was
released to bugtraq last year.
looking at the most recent version of vpopmail.....
bash-2.04$ grep sprintf vdelivermail.c|wc -l
20
and a quick grep for two of the buffers found reveals....
vdelivermail.c: char tmp_buf[256];
configure:char tmpbuf[100];
I would suggest that this code has all the right conditions for a nasty
buffer overflow. I havent got the time to read through it tonight, as its
1am
and im too tired to be interested though.
To be honest though, what you are seeing in your logs is more likely to be
this code puking on something in mail, as its happening a little too
frequently to be an attacker. [What sort of time lapse is there between
those
segfaults?] I definately wouldnt rule out the possibility though.
I would seriously think about a different virtual domains package.
That code looks dangerous.
>
> -Dan Graaff / Digital
>
>
Marc Rogers
Technical Director
European Data Corporation
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?INECLODDPGBFIAKPNFKHGENMCBAA.subscribed>