Re: your mail - Mailing list pgsql-www
From | Tommy Gildseth |
---|---|
Subject | Re: your mail |
Date | |
Msg-id | 439C2D3D.20301@start.no Whole thread Raw |
In response to | Re: your mail ("Magnus Hagander" <mha@sollentuna.net>) |
List | pgsql-www |
If you know the local pickup time, you could allways try greping through the apache access logs for POST-requests around those times, ie. Dec 5 at 23:12. That is, of course, if the access logs are kept. -- Tommy Magnus Hagander wrote: > First of all, it does seem reasonable that it's a web based piece of sw > that did/does it because there are several references to > www@svr2.postgresql.org in the Return-Path of the mails. > > On svr2, there are some mail-sending forms on the actual wwwmaster site, > but AFAICT they all go to fixed addresses, and take user input only for > contents. > I have no idea wrt techdocs. There were also several other sites running > it prior to the clenaup we did after someone broke into it earlier. > > As for that breakin, we discovered those processes on Nov 21st. But I > see at least one mail from Dec 5th in the list Gavin sent, so it's > clearly not that easy. > > Looking through some logs, it's very clear that this message was picked > up locally and not relayed: > maillog.5:Dec 5 23:12:48 svr2 postfix/pickup[33303]: 86C0EF276A: uid=80 > from=<w > ww> > maillog.5:Dec 5 23:12:48 svr2 postfix/cleanup[33095]: 86C0EF276A: > message-id=<2 > 0051205231248.86C0EF276A@svr2.postgresql.org> > maillog.5:Dec 5 23:12:48 svr2 postfix/qmgr[4148]: 86C0EF276A: > from=<www@svr2.po > stgresql.org>, size=3034, nrcpt=1 (queue active) > > (this is the mail at the very bottom of Gavins list) > > After this, it kept timing out for days before being delivered on Dec > 8th. > > > > Unfortunatly, all our websites run with the same userid, including > zope... > > //Magnus > > > >>-----Original Message----- >>From: Marc G. Fournier [mailto:scrappy@postgresql.org] >>Sent: Sunday, December 11, 2005 9:15 AM >>To: Gavin M. Roy >>Cc: Marc G. Fournier; pgsql-www@postgresql.org; Josh Berkus; >>Magnus Hagander; Dave Page >>Subject: Re: your mail >> >>On Sat, 10 Dec 2005, Gavin M. Roy wrote: >> >> >>>My next guess would be some sort of web based software that >> >>is being >> >>>exploited to send mail. Zope perhaps? What sites are >> >>running off of >> >>>srv2 and have any type of comment form that sends emails? >> >>Ah, okay ... that I'll have to defer to Dave et al ... Zope >>is running over there for techdocs, and there was that python >>script that we just recently found ... I'm having a bugger of >>a time reading the email(s) you sent, since I can't seem to >>find where one ends and the next starts ... >>the ones I've been able to 'pick out' all seem to revolve >>around the 1st/2nd of December ... Magnus/Dave, was that >>about the same time that we found those errant processes? >> >> >> > >> >>>Gavin >>> >>>On Dec 10, 2005, at 11:36 PM, Marc G. Fournier wrote: >>> >>> >>>>First I've seen of this, sorry it was overlooked ... >>>> >>>>But, borg isn't an open relay: >>>> >>>>%rlytest -f scrappy@postgresql.org -u scrappy@hub.org >>>>borg.postgresql.org Connecting to borg.postgresql.org ... >>>><<< 220 borg.postgresql.org ESMTP Sendmail 8.13.1/8.13.1; >> >>Sat, 10 Dec >> >>>>2005 >>>>23:31:26 -0800 (PST) >>>> >>>>>>>HELO postgresql.org >>>> >>>><<< 250 borg.postgresql.org Hello postgresql.org [200.46.204.71], >>>>pleased to meet you >>>> >>>>>>>MAIL FROM:<scrappy@postgresql.org> >>>> >>>><<< 250 2.1.0 <scrappy@postgresql.org>... Sender ok >>>> >>>>>>>RCPT TO:<scrappy@hub.org> >>>> >>>><<< 550 5.7.1 <scrappy@hub.org>... Relaying denied >>>>rlytest: relay rejected - final response code 550 >>>> >>>> >>>>And I just checked svr2.postgresql.org, and she's closed >> >>from what I >> >>>>can tell also: >>>> >>>># telnet svr2.postgresql.org smtp >>>>Trying 65.19.161.25... >>>>Connected to svr2.postgresql.org. >>>>Escape character is '^]'. >>>>220 svr2.postgresql.org ESMTP Postfix ehlo hub.org >>>>250-svr2.postgresql.org 250-PIPELINING 250-SIZE 10240000 250-VRFY >>>>250-ETRN 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250 >> >>8BITMIME mail >> >>>>from: scrappy@hub.org 250 Ok rcpt to: scrappy@freebsd.org >>>>554 <scrappy@freebsd.org>: Relay access denied >>>> >>>> >>>>Is there something else I should be testing/checking for? >>>> >>>> >>>> >>> >>---- >>Marc G. Fournier Hub.Org Networking Services >>(http://www.hub.org) >>Email: scrappy@hub.org Yahoo!: yscrappy >> ICQ: 7615664 >> > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq >