Thread: postfix on wwwmaster.postgresql.org is shut down ...

postfix on wwwmaster.postgresql.org is shut down ...

From
"Marc G. Fournier"
Date:
There are 23k messages in the queue right now that have been 'received
from localhost' by user www@svr2.postgresql.org ... someone is making use
of a 'hole' in one of our CGIs, but I can't seem to figure out which one,
so have let Dave/Magnus know and hopefully they can figure out which one
...

Until we've found and plugged the hole, postfix is down ... if someone
reports a problem with sending an email, please let us know ...

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664

Re: postfix on wwwmaster.postgresql.org is shut down ...

From
"Magnus Hagander"
Date:
> There are 23k messages in the queue right now that have been
> 'received from localhost' by user www@svr2.postgresql.org ...
> someone is making use of a 'hole' in one of our CGIs, but I
> can't seem to figure out which one, so have let Dave/Magnus
> know and hopefully they can figure out which one ...
>
> Until we've found and plugged the hole, postfix is down ...
> if someone reports a problem with sending an email, please
> let us know ...


Problem identified.

There was a horribly old and outdated version of awstats.pl on the
system, that was for some reason linked in and possible to use without
any authentication or anything. There are known security issues in it,
and adding logging everywhere showed that that's what was exploited
using the srv2.postgresql.org virtual server (which isn't even in used).

I've disabled it in apache and removed the files from the server as
well.

Yet another example of why it's overdue that we're doing something about
all the stuff that's installed and active, but not actually used :-( But
as that is work in progress now, I'll just wait for that to get done :-)

I've re-enabled postfix after deleting all the spam in the queue.

If someone wants to pursue it (Gavin?), the hits came in from
66.98.214.41, which is on ev1servers.net. There are still log files
available showing four requests to it that coincided perfectly with spam
mail entering the queue.

//Magnus

Re: postfix on wwwmaster.postgresql.org is shut down ...

From
"Gavin M. Roy"
Date:
Thanks, I'll send an abuse complaint to ev1, like they'll do anything.

Regards,

Gavin

On Dec 16, 2005, at 12:48 PM, Magnus Hagander wrote:

>> There are 23k messages in the queue right now that have been
>> 'received from localhost' by user www@svr2.postgresql.org ...
>> someone is making use of a 'hole' in one of our CGIs, but I
>> can't seem to figure out which one, so have let Dave/Magnus
>> know and hopefully they can figure out which one ...
>>
>> Until we've found and plugged the hole, postfix is down ...
>> if someone reports a problem with sending an email, please
>> let us know ...
>
>
> Problem identified.
>
> There was a horribly old and outdated version of awstats.pl on the
> system, that was for some reason linked in and possible to use without
> any authentication or anything. There are known security issues in it,
> and adding logging everywhere showed that that's what was exploited
> using the srv2.postgresql.org virtual server (which isn't even in
> used).
>
> I've disabled it in apache and removed the files from the server as
> well.
>
> Yet another example of why it's overdue that we're doing something
> about
> all the stuff that's installed and active, but not actually used :-
> ( But
> as that is work in progress now, I'll just wait for that to get
> done :-)
>
> I've re-enabled postfix after deleting all the spam in the queue.
>
> If someone wants to pursue it (Gavin?), the hits came in from
> 66.98.214.41, which is on ev1servers.net. There are still log files
> available showing four requests to it that coincided perfectly with
> spam
> mail entering the queue.
>
> //Magnus

Gavin M. Roy
800 Pound Gorilla
gmr@ehpg.net



Re: postfix on wwwmaster.postgresql.org is shut down

From
"Marc G. Fournier"
Date:
Just doubled checked, and it isn't *our* server there ... was getting a
bit worried that somehow someone was spam'ng through the bt server or
something *wipe brow*

On Fri, 16 Dec 2005, Gavin M. Roy wrote:

> Thanks, I'll send an abuse complaint to ev1, like they'll do anything.
>
> Regards,
>
> Gavin
>
> On Dec 16, 2005, at 12:48 PM, Magnus Hagander wrote:
>
>>> There are 23k messages in the queue right now that have been
>>> 'received from localhost' by user www@svr2.postgresql.org ...
>>> someone is making use of a 'hole' in one of our CGIs, but I
>>> can't seem to figure out which one, so have let Dave/Magnus
>>> know and hopefully they can figure out which one ...
>>>
>>> Until we've found and plugged the hole, postfix is down ...
>>> if someone reports a problem with sending an email, please
>>> let us know ...
>>
>>
>> Problem identified.
>>
>> There was a horribly old and outdated version of awstats.pl on the
>> system, that was for some reason linked in and possible to use without
>> any authentication or anything. There are known security issues in it,
>> and adding logging everywhere showed that that's what was exploited
>> using the srv2.postgresql.org virtual server (which isn't even in used).
>>
>> I've disabled it in apache and removed the files from the server as
>> well.
>>
>> Yet another example of why it's overdue that we're doing something about
>> all the stuff that's installed and active, but not actually used :-( But
>> as that is work in progress now, I'll just wait for that to get done :-)
>>
>> I've re-enabled postfix after deleting all the spam in the queue.
>>
>> If someone wants to pursue it (Gavin?), the hits came in from
>> 66.98.214.41, which is on ev1servers.net. There are still log files
>> available showing four requests to it that coincided perfectly with spam
>> mail entering the queue.
>>
>> //Magnus
>
> Gavin M. Roy
> 800 Pound Gorilla
> gmr@ehpg.net
>
>

----
Marc G. Fournier           Hub.Org Networking Services (http://www.hub.org)
Email: scrappy@hub.org           Yahoo!: yscrappy              ICQ: 7615664