Date: Mon, 21 May 2001 18:05:41 -0700 From: "Dan Graaff" <subscribed@de-net.org> To: <freebsd-security@freebsd.org> Subject: RE: Qmail + FreeBSD 4.3 Message-ID: <INECLODDPGBFIAKPNFKHGENMCBAA.subscribed@de-net.org> In-Reply-To: <20010522012857.R366@shady.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey all.. It started again.. May 21 13:19:22 euphoria /kernel: pid 1387 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 13:24:33 euphoria /kernel: pid 1515 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 15:44:16 euphoria /kernel: pid 3850 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 16:27:44 euphoria /kernel: pid 4463 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 16:36:17 euphoria /kernel: pid 4593 (vdelivermail), uid 89: exited on signal 11 (core dumped) This time I included the time :-/ Now, thats my mail server, the main webserver is getting strange IPs hitting it on SSH... I think im being attacked for sure.. May 21 15:43:24 insomnia sshd[11557]: DNS lookup failed for "216.231.201.31". May 21 15:44:08 insomnia sshd[11562]: DNS lookup failed for "216.231.201.31". May 21 15:44:09 insomnia sshd[11562]: error: ConnectionsPerPeriod has been deprecated! May 21 15:44:09 insomnia sshd[11562]: error: Could not load host key: /etc/ssh/ssh_host_key: No such file or directory May 21 15:44:09 insomnia sshd[11562]: error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key May 21 15:48:39 insomnia sshd[11575]: DNS lookup failed for "216.231.201.31". May 21 15:48:39 insomnia sshd[11575]: error: ConnectionsPerPeriod has been deprecated! May 21 15:48:39 insomnia sshd[11575]: error: Could not load host key: /etc/ssh/ssh_host_key: No such file or directory May 21 15:48:39 insomnia sshd[11575]: error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key May 21 15:51:35 insomnia sshd[11592]: DNS lookup failed for "209.133.41.29". There is no reason for people to be using SSH, or telnet! I have no non-staff shell accounts open! I THINK im being attacked and I cant figure out if they are penetrating or not.. Thanks a lot for your help, -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marc Rogers Sent: Monday, May 21, 2001 5:29 PM To: freebsd-security@freebsd.org Subject: Re: Qmail + FreeBSD 4.3 On Mon, May 21, 2001 at 12:27:34PM -0700, Dan Graaff wrote: > Hello all.. > Hello > After the recent hacking of my affiliate, I'm starting to get worried about > my own qmail boxes. One of them has had no errors for a month, now I'm > starting to get these in my root mailers: > > xxxxxxx.xxxxxxxxxxx.xxx kernel log messages: > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped) <SNIP> > > Any thoughts? Help? Well it wont be the first time that a virtual domains package has had an overflow of some kind in it. Infact if memory serves me correctly this was the same virtual domains package that had a hole in it that was released to bugtraq last year. looking at the most recent version of vpopmail..... bash-2.04$ grep sprintf vdelivermail.c|wc -l 20 and a quick grep for two of the buffers found reveals.... vdelivermail.c: char tmp_buf[256]; configure:char tmpbuf[100]; I would suggest that this code has all the right conditions for a nasty buffer overflow. I havent got the time to read through it tonight, as its 1am and im too tired to be interested though. To be honest though, what you are seeing in your logs is more likely to be this code puking on something in mail, as its happening a little too frequently to be an attacker. [What sort of time lapse is there between those segfaults?] I definately wouldnt rule out the possibility though. I would seriously think about a different virtual domains package. That code looks dangerous. > > -Dan Graaff / Digital > > Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?INECLODDPGBFIAKPNFKHGENMCBAA.subscribed>