Re: postfix on wwwmaster.postgresql.org is shut down ... - Mailing list pgsql-www

From Magnus Hagander
Subject Re: postfix on wwwmaster.postgresql.org is shut down ...
Date
Msg-id 6BCB9D8A16AC4241919521715F4D8BCE92E92A@algol.sollentuna.se
Whole thread Raw
In response to postfix on wwwmaster.postgresql.org is shut down ...  ("Marc G. Fournier" <scrappy@postgresql.org>)
Responses Re: postfix on wwwmaster.postgresql.org is shut down ...
List pgsql-www
> There are 23k messages in the queue right now that have been
> 'received from localhost' by user www@svr2.postgresql.org ...
> someone is making use of a 'hole' in one of our CGIs, but I
> can't seem to figure out which one, so have let Dave/Magnus
> know and hopefully they can figure out which one ...
>
> Until we've found and plugged the hole, postfix is down ...
> if someone reports a problem with sending an email, please
> let us know ...


Problem identified.

There was a horribly old and outdated version of awstats.pl on the
system, that was for some reason linked in and possible to use without
any authentication or anything. There are known security issues in it,
and adding logging everywhere showed that that's what was exploited
using the srv2.postgresql.org virtual server (which isn't even in used).

I've disabled it in apache and removed the files from the server as
well.

Yet another example of why it's overdue that we're doing something about
all the stuff that's installed and active, but not actually used :-( But
as that is work in progress now, I'll just wait for that to get done :-)

I've re-enabled postfix after deleting all the spam in the queue.

If someone wants to pursue it (Gavin?), the hits came in from
66.98.214.41, which is on ev1servers.net. There are still log files
available showing four requests to it that coincided perfectly with spam
mail entering the queue.

//Magnus

pgsql-www by date:

Previous
From: "Dave Page"
Date:
Subject: Re: Archives formatting
Next
From: "Gavin M. Roy"
Date:
Subject: Re: postfix on wwwmaster.postgresql.org is shut down ...