Re: [slug] [SLUG] Open mail relay?

From: herrold (herrold@owlriver.com)
Date: Tue Jun 05 2001 - 13:43:12 EDT


On Tue, 5 Jun 2001, Aharon wrote:

> Another thing I have noticed is that all the bounced messages are going to
> nobody@superfreeway.com ... The only processes which run as nobody is
> httpd. But, this may be standard if sendmail has no idea where to send
> the bounce message.

Dollars to doughnuts, you or one of your users is running the Matt
Script Archive formmail ... there is a script vulnerabiility which
allows you to be sed as a relay -- and then the RBL got you.

There is a domain check, and if the referred variable is NULL, it
ALLOWS the post -- so the script needs to have that path removed. I
had the misfortune of discovering that a end user had installed the
script (unsafely), and opened a host at a site I admin
professionally.

-- Russ

------------------

That host is also offering an awful lot of services. Is that
intentional?

[herrold@swampfox herrold]$ nmap mail.superfreeway.com

Starting nmap V. 2.3BETA10 by Fyodor (fyodor@dhp.com,
www.insecure.org/nmap/)
Interesting ports on (63.140.74.37):
(Ports scanned but not shown below are in state: filtered)
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
43 unfiltered tcp whois
53 open tcp domain
80 open tcp http
110 open tcp pop-3
113 open tcp auth
143 unfiltered tcp imap2
443 unfiltered tcp https
6666 unfiltered tcp irc-serv
6667 unfiltered tcp irc
6668 unfiltered tcp irc
7000 unfiltered tcp afs3-fileserver

Nmap run completed -- 1 IP address (1 host up) scanned in 313 seconds
[herrold@swampfox herrold]$ telnet mail.superfreeway.com ftp



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:56:28 EDT