- Previous message: Amod Sutavane: "Re: using bounce_queue_lifetime and delay_warning_time"
- Maybe in reply to: Kevin Pang: "Re: Spam Problems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Brett Schroeder (no email)
Date: Sat May 21 2005 - 09:43:20 EDT
Robin Lynn Frank wrote:
>On Sun, 2005-05-15 at 21:34, /dev/rob0 wrote:
>
>
>>On Sunday 15 May 2005 11:44, Kevin Pang wrote:
>>
>>
>>>"Robin Lynn Frank" wrote:
>>>
>>>
>>>>There is a known exploit of all but the most recent Awstats that
>>>>can produce exactly this type of problem. There was a thread on
>>>>this list several months ago. Check the archives.
>>>>
>>>>
>>>Unfortunately I can't find any threads related with Awstats exploit.
>>>I didn't Awstats could also be used as mail log analyzer and I use it
>>>for apache log only.
>>>
>>>
>>And your spammer used it to send out some spew! Why are you thinking
>>that what YOU use awstats for would somehow make you safe from ...
>>
>>A Known Exploit of Awstats.
>>
>>You have been had. Take your HTTPD down right away. It's possible that
>>your spammer has shell access too ... and once there, root is usually
>>not far away.
>>
>>A friend of mine had awstats exploited just like this. Check it
>>COMPLETELY before you allow it on the Internet. It's possible (and not
>>unlikely) that you were not 0wn3d by this creature, but act on the
>>worst case assumption until proven otherwise.
>>
>>First things first! Stop your spew. Later, try to figure out what
>>happened ... but I assure you ... it was awstats!
>>
>>
>
>Unfortunately, there are many folks who set up servers and assume that
>if it is doing what they want, all is well. They never realize that it
>may be doing things they didn't want.
>
>The OP had a postfix configuration that imposed no access/relay
>restrictions and included a /24 in mynetworks that he did not own (I'm
>assuming this). Postfix send and received mail. His web server handled
>his forums. He thought all was well.
>
>
From the OP's main.cf (who is running a small personal site)
mynetworks = 84.135.112.0/24, 127.0.0.0/8
This address falls within a large block owned by Deutsche Telekom
inetnum: 84.128.0.0 - 84.135.255.255
descr: Deutsche Telekom AG
An open relay within Deutsche Telekom's DHCP address block?
>From my standpoint, the really scary part was that his ISP knew
>something was wrong before he did. IIRC, his config showed no
>readme_directory or html_directory. Glad to know folks are installing
>servers without documentation. :-(
>
>
|
|
|