Re: your mail

First of all, it does seem reasonable that it's a web based piece of sw
that did/does it because there are several references to
www(at)svr2(dot)postgresql(dot)org in the Return-Path of the mails.

On svr2, there are some mail-sending forms on the actual wwwmaster site,
but AFAICT they all go to fixed addresses, and take user input only for
contents.
I have no idea wrt techdocs. There were also several other sites running
it prior to the clenaup we did after someone broke into it earlier.

As for that breakin, we discovered those processes on Nov 21st. But I
see at least one mail from Dec 5th in the list Gavin sent, so it's
clearly not that easy.

Looking through some logs, it's very clear that this message was picked
up locally and not relayed:
maillog.5:Dec 5 23:12:48 svr2 postfix/pickup[33303]: 86C0EF276A: uid=80
from=<w
ww>
maillog.5:Dec 5 23:12:48 svr2 postfix/cleanup[33095]: 86C0EF276A:
message-id=<2
0051205231248(dot)86C0EF276A(at)svr2(dot)postgresql(dot)org>
maillog.5:Dec 5 23:12:48 svr2 postfix/qmgr[4148]: 86C0EF276A:
from=<www(at)svr2(dot)po
stgresql.org>, size=3034, nrcpt=1 (queue active)

(this is the mail at the very bottom of Gavins list)

After this, it kept timing out for days before being delivered on Dec
8th.

Unfortunatly, all our websites run with the same userid, including
zope...

//Magnus

> -----Original Message-----
> From: Marc G. Fournier [mailto:scrappy(at)postgresql(dot)org]
> Sent: Sunday, December 11, 2005 9:15 AM
> To: Gavin M. Roy
> Cc: Marc G. Fournier; pgsql-www(at)postgresql(dot)org; Josh Berkus;
> Magnus Hagander; Dave Page
> Subject: Re: your mail
>
> On Sat, 10 Dec 2005, Gavin M. Roy wrote:
>
> > My next guess would be some sort of web based software that
> is being
> > exploited to send mail. Zope perhaps? What sites are
> running off of
> > srv2 and have any type of comment form that sends emails?
>
> Ah, okay ... that I'll have to defer to Dave et al ... Zope
> is running over there for techdocs, and there was that python
> script that we just recently found ... I'm having a bugger of
> a time reading the email(s) you sent, since I can't seem to
> find where one ends and the next starts ...
> the ones I've been able to 'pick out' all seem to revolve
> around the 1st/2nd of December ... Magnus/Dave, was that
> about the same time that we found those errant processes?
>
>
> >
> > Gavin
> >
> > On Dec 10, 2005, at 11:36 PM, Marc G. Fournier wrote:
> >
> >>
> >> First I've seen of this, sorry it was overlooked ...
> >>
> >> But, borg isn't an open relay:
> >>
> >> %rlytest -f scrappy(at)postgresql(dot)org -u scrappy(at)hub(dot)org
> >> borg.postgresql.org Connecting to borg.postgresql.org ...
> >> <<< 220 borg.postgresql.org ESMTP Sendmail 8.13.1/8.13.1;
> Sat, 10 Dec
> >> 2005
> >> 23:31:26 -0800 (PST)
> >>>>> HELO postgresql.org
> >> <<< 250 borg.postgresql.org Hello postgresql.org [200.46.204.71],
> >> pleased to meet you
> >>>>> MAIL FROM:<scrappy(at)postgresql(dot)org>
> >> <<< 250 2.1.0 <scrappy(at)postgresql(dot)org>... Sender ok
> >>>>> RCPT TO:<scrappy(at)hub(dot)org>
> >> <<< 550 5.7.1 <scrappy(at)hub(dot)org>... Relaying denied
> >> rlytest: relay rejected - final response code 550
> >>
> >>
> >> And I just checked svr2.postgresql.org, and she's closed
> from what I
> >> can tell also:
> >>
> >> # telnet svr2.postgresql.org smtp
> >> Trying 65.19.161.25...
> >> Connected to svr2.postgresql.org.
> >> Escape character is '^]'.
> >> 220 svr2.postgresql.org ESMTP Postfix ehlo hub.org
> >> 250-svr2.postgresql.org 250-PIPELINING 250-SIZE 10240000 250-VRFY
> >> 250-ETRN 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250
> 8BITMIME mail
> >> from: scrappy(at)hub(dot)org 250 Ok rcpt to: scrappy(at)freebsd(dot)org
> >> 554 <scrappy(at)freebsd(dot)org>: Relay access denied
> >>
> >>
> >> Is there something else I should be testing/checking for?
> >>
> >>
> >>
> >
>
> ----
> Marc G. Fournier Hub.Org Networking Services
> (http://www.hub.org)
> Email: scrappy(at)hub(dot)org Yahoo!: yscrappy
> ICQ: 7615664
>