Thread: Re: your mail

Re: your mail

From
"Magnus Hagander"
Date:
Yes. But they're not, because of the horrible performance of any I/O
operation in a unionfs VM...

//Magnus


> -----Original Message-----
>
> If you know the local pickup time, you could allways try
> greping through the apache access logs for POST-requests
> around those times, ie. Dec 5 at 23:12.
> That is, of course, if the access logs are kept.
>
> --
> Tommy
>
> Magnus Hagander wrote:
> > First of all, it does seem reasonable that it's a web based
> piece of
> > sw that did/does it because there are several references to
> > www@svr2.postgresql.org in the Return-Path of the mails.
> >
> > On svr2, there are some mail-sending forms on the actual wwwmaster
> > site, but AFAICT they all go to fixed addresses, and take
> user input
> > only for contents.
> > I have no idea wrt techdocs. There were also several other sites
> > running it prior to the clenaup we did after someone broke
> into it earlier.
> >
> > As for that breakin, we discovered those processes on Nov
> 21st. But I
> > see at least one mail from Dec 5th in the list Gavin sent, so it's
> > clearly not that easy.
> >
> > Looking through some logs, it's very clear that this message was
> > picked up locally and not relayed:
> > maillog.5:Dec  5 23:12:48 svr2 postfix/pickup[33303]: 86C0EF276A:
> > uid=80 from=<w
> > ww>
> > maillog.5:Dec  5 23:12:48 svr2 postfix/cleanup[33095]: 86C0EF276A:
> > message-id=<2
> > 0051205231248.86C0EF276A@svr2.postgresql.org>
> > maillog.5:Dec  5 23:12:48 svr2 postfix/qmgr[4148]: 86C0EF276A:
> > from=<www@svr2.po
> > stgresql.org>, size=3034, nrcpt=1 (queue active)
> >
> > (this is the mail at the very bottom of Gavins list)
> >
> > After this, it kept timing out for days before being
> delivered on Dec
> > 8th.
> >
> >
> >
> > Unfortunatly, all our websites run with the same userid, including
> > zope...
> >
> > //Magnus
> >
> >
> >
> >>-----Original Message-----
> >>From: Marc G. Fournier [mailto:scrappy@postgresql.org]
> >>Sent: Sunday, December 11, 2005 9:15 AM
> >>To: Gavin M. Roy
> >>Cc: Marc G. Fournier; pgsql-www@postgresql.org; Josh Berkus; Magnus
> >>Hagander; Dave Page
> >>Subject: Re: your mail
> >>
> >>On Sat, 10 Dec 2005, Gavin M. Roy wrote:
> >>
> >>
> >>>My next guess would be some sort of web based software that
> >>
> >>is being
> >>
> >>>exploited to send mail.  Zope perhaps?  What sites are
> >>
> >>running off of
> >>
> >>>srv2 and have any type of comment form that sends emails?
> >>
> >>Ah, okay ... that I'll have to defer to Dave et al ... Zope
> is running
> >>over there for techdocs, and there was that python script
> that we just
> >>recently found ... I'm having a bugger of a time reading
> the email(s)
> >>you sent, since I can't seem to find where one ends and the next
> >>starts ...
> >>the ones I've been able to 'pick out' all seem to revolve
> around the
> >>1st/2nd of December ... Magnus/Dave, was that about the
> same time that
> >>we found those errant processes?
> >>
> >>
> >>  >
> >>
> >>>Gavin
> >>>
> >>>On Dec 10, 2005, at 11:36 PM, Marc G. Fournier wrote:
> >>>
> >>>
> >>>>First I've seen of this, sorry it was overlooked ...
> >>>>
> >>>>But, borg isn't an open relay:
> >>>>
> >>>>%rlytest -f scrappy@postgresql.org -u scrappy@hub.org
> >>>>borg.postgresql.org Connecting to borg.postgresql.org ...
> >>>><<< 220 borg.postgresql.org ESMTP Sendmail 8.13.1/8.13.1;
> >>
> >>Sat, 10 Dec
> >>
> >>>>2005
> >>>>23:31:26 -0800 (PST)
> >>>>
> >>>>>>>HELO postgresql.org
> >>>>
> >>>><<< 250 borg.postgresql.org Hello postgresql.org [200.46.204.71],
> >>>>pleased to meet you
> >>>>
> >>>>>>>MAIL FROM:<scrappy@postgresql.org>
> >>>>
> >>>><<< 250 2.1.0 <scrappy@postgresql.org>... Sender ok
> >>>>
> >>>>>>>RCPT TO:<scrappy@hub.org>
> >>>>
> >>>><<< 550 5.7.1 <scrappy@hub.org>... Relaying denied
> >>>>rlytest: relay rejected - final response code 550
> >>>>
> >>>>
> >>>>And I just checked svr2.postgresql.org, and she's closed
> >>
> >>from what I
> >>
> >>>>can tell also:
> >>>>
> >>>># telnet svr2.postgresql.org smtp
> >>>>Trying 65.19.161.25...
> >>>>Connected to svr2.postgresql.org.
> >>>>Escape character is '^]'.
> >>>>220 svr2.postgresql.org ESMTP Postfix ehlo hub.org
> >>>>250-svr2.postgresql.org 250-PIPELINING 250-SIZE 10240000 250-VRFY
> >>>>250-ETRN 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250
> >>
> >>8BITMIME mail
> >>
> >>>>from: scrappy@hub.org 250 Ok rcpt to: scrappy@freebsd.org
> >>>>554 <scrappy@freebsd.org>: Relay access denied
> >>>>
> >>>>
> >>>>Is there something else I should be testing/checking for?
> >>>>
> >>>>
> >>>>
> >>>
> >>----
> >>Marc G. Fournier           Hub.Org Networking Services
> >>(http://www.hub.org)
> >>Email: scrappy@hub.org           Yahoo!: yscrappy
> >> ICQ: 7615664
> >>
> >
> >
> > ---------------------------(end of
> > broadcast)---------------------------
> > TIP 3: Have you checked our extensive FAQ?
> >
> >                http://www.postgresql.org/docs/faq
> >
>
>