| From: | "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
|---|---|
| To: | "Gavin M(dot) Roy" <gmr(at)ehpg(dot)net> |
| Cc: | Magnus Hagander <mha(at)sollentuna(dot)net>, pgsql-www(at)postgresql(dot)org, "Marc G(dot) Fournier" <scrappy(at)postgresql(dot)org> |
| Subject: | Re: postfix on wwwmaster.postgresql.org is shut down |
| Date: | 2005-12-16 23:04:29 |
| Message-ID: | 20051216190356.D1087@ganymede.hub.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-www |
Just doubled checked, and it isn't *our* server there ... was getting a
bit worried that somehow someone was spam'ng through the bt server or
something *wipe brow*
On Fri, 16 Dec 2005, Gavin M. Roy wrote:
> Thanks, I'll send an abuse complaint to ev1, like they'll do anything.
>
> Regards,
>
> Gavin
>
> On Dec 16, 2005, at 12:48 PM, Magnus Hagander wrote:
>
>>> There are 23k messages in the queue right now that have been
>>> 'received from localhost' by user www(at)svr2(dot)postgresql(dot)org ...
>>> someone is making use of a 'hole' in one of our CGIs, but I
>>> can't seem to figure out which one, so have let Dave/Magnus
>>> know and hopefully they can figure out which one ...
>>>
>>> Until we've found and plugged the hole, postfix is down ...
>>> if someone reports a problem with sending an email, please
>>> let us know ...
>>
>>
>> Problem identified.
>>
>> There was a horribly old and outdated version of awstats.pl on the
>> system, that was for some reason linked in and possible to use without
>> any authentication or anything. There are known security issues in it,
>> and adding logging everywhere showed that that's what was exploited
>> using the srv2.postgresql.org virtual server (which isn't even in used).
>>
>> I've disabled it in apache and removed the files from the server as
>> well.
>>
>> Yet another example of why it's overdue that we're doing something about
>> all the stuff that's installed and active, but not actually used :-( But
>> as that is work in progress now, I'll just wait for that to get done :-)
>>
>> I've re-enabled postfix after deleting all the spam in the queue.
>>
>> If someone wants to pursue it (Gavin?), the hits came in from
>> 66.98.214.41, which is on ev1servers.net. There are still log files
>> available showing four requests to it that coincided perfectly with spam
>> mail entering the queue.
>>
>> //Magnus
>
> Gavin M. Roy
> 800 Pound Gorilla
> gmr(at)ehpg(dot)net
>
>
----
Marc G. Fournier Hub.Org Networking Services (http://www.hub.org)
Email: scrappy(at)hub(dot)org Yahoo!: yscrappy ICQ: 7615664
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim C. Nasby | 2005-12-17 00:52:54 | Re: bt.postgresql.org update report |
| Previous Message | Gavin M. Roy | 2005-12-16 22:30:42 | Re: postfix on wwwmaster.postgresql.org is shut down ... |