If you know the local pickup time, you could allways try greping through
the apache access logs for POST-requests around those times, ie. Dec 5
at 23:12.
That is, of course, if the access logs are kept.
--
Tommy
Magnus Hagander wrote:
> First of all, it does seem reasonable that it's a web based piece of sw
> that did/does it because there are several references to
> www@svr2.postgresql.org in the Return-Path of the mails.
>
> On svr2, there are some mail-sending forms on the actual wwwmaster site,
> but AFAICT they all go to fixed addresses, and take user input only for
> contents.
> I have no idea wrt techdocs. There were also several other sites running
> it prior to the clenaup we did after someone broke into it earlier.
>
> As for that breakin, we discovered those processes on Nov 21st. But I
> see at least one mail from Dec 5th in the list Gavin sent, so it's
> clearly not that easy.
>
> Looking through some logs, it's very clear that this message was picked
> up locally and not relayed:
> maillog.5:Dec 5 23:12:48 svr2 postfix/pickup[33303]: 86C0EF276A: uid=80
> from=<w
> ww>
> maillog.5:Dec 5 23:12:48 svr2 postfix/cleanup[33095]: 86C0EF276A:
> message-id=<2
> 0051205231248.86C0EF276A@svr2.postgresql.org>
> maillog.5:Dec 5 23:12:48 svr2 postfix/qmgr[4148]: 86C0EF276A:
> from=<www@svr2.po
> stgresql.org>, size=3034, nrcpt=1 (queue active)
>
> (this is the mail at the very bottom of Gavins list)
>
> After this, it kept timing out for days before being delivered on Dec
> 8th.
>
>
>
> Unfortunatly, all our websites run with the same userid, including
> zope...
>
> //Magnus
>
>
>
>>-----Original Message-----
>>From: Marc G. Fournier [mailto:scrappy@postgresql.org]
>>Sent: Sunday, December 11, 2005 9:15 AM
>>To: Gavin M. Roy
>>Cc: Marc G. Fournier; pgsql-www@postgresql.org; Josh Berkus;
>>Magnus Hagander; Dave Page
>>Subject: Re: your mail
>>
>>On Sat, 10 Dec 2005, Gavin M. Roy wrote:
>>
>>
>>>My next guess would be some sort of web based software that
>>
>>is being
>>
>>>exploited to send mail. Zope perhaps? What sites are
>>
>>running off of
>>
>>>srv2 and have any type of comment form that sends emails?
>>
>>Ah, okay ... that I'll have to defer to Dave et al ... Zope
>>is running over there for techdocs, and there was that python
>>script that we just recently found ... I'm having a bugger of
>>a time reading the email(s) you sent, since I can't seem to
>>find where one ends and the next starts ...
>>the ones I've been able to 'pick out' all seem to revolve
>>around the 1st/2nd of December ... Magnus/Dave, was that
>>about the same time that we found those errant processes?
>>
>>
>> >
>>
>>>Gavin
>>>
>>>On Dec 10, 2005, at 11:36 PM, Marc G. Fournier wrote:
>>>
>>>
>>>>First I've seen of this, sorry it was overlooked ...
>>>>
>>>>But, borg isn't an open relay:
>>>>
>>>>%rlytest -f scrappy@postgresql.org -u scrappy@hub.org
>>>>borg.postgresql.org Connecting to borg.postgresql.org ...
>>>><<< 220 borg.postgresql.org ESMTP Sendmail 8.13.1/8.13.1;
>>
>>Sat, 10 Dec
>>
>>>>2005
>>>>23:31:26 -0800 (PST)
>>>>
>>>>>>>HELO postgresql.org
>>>>
>>>><<< 250 borg.postgresql.org Hello postgresql.org [200.46.204.71],
>>>>pleased to meet you
>>>>
>>>>>>>MAIL FROM:<scrappy@postgresql.org>
>>>>
>>>><<< 250 2.1.0 <scrappy@postgresql.org>... Sender ok
>>>>
>>>>>>>RCPT TO:<scrappy@hub.org>
>>>>
>>>><<< 550 5.7.1 <scrappy@hub.org>... Relaying denied
>>>>rlytest: relay rejected - final response code 550
>>>>
>>>>
>>>>And I just checked svr2.postgresql.org, and she's closed
>>
>>from what I
>>
>>>>can tell also:
>>>>
>>>># telnet svr2.postgresql.org smtp
>>>>Trying 65.19.161.25...
>>>>Connected to svr2.postgresql.org.
>>>>Escape character is '^]'.
>>>>220 svr2.postgresql.org ESMTP Postfix ehlo hub.org
>>>>250-svr2.postgresql.org 250-PIPELINING 250-SIZE 10240000 250-VRFY
>>>>250-ETRN 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250
>>
>>8BITMIME mail
>>
>>>>from: scrappy@hub.org 250 Ok rcpt to: scrappy@freebsd.org
>>>>554 <scrappy@freebsd.org>: Relay access denied
>>>>
>>>>
>>>>Is there something else I should be testing/checking for?
>>>>
>>>>
>>>>
>>>
>>----
>>Marc G. Fournier Hub.Org Networking Services
>>(http://www.hub.org)
>>Email: scrappy@hub.org Yahoo!: yscrappy
>> ICQ: 7615664
>>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faq
>