Re: your mail

Yes. But they're not, because of the horrible performance of any I/O
operation in a unionfs VM...

//Magnus

> -----Original Message-----
>
> If you know the local pickup time, you could allways try
> greping through the apache access logs for POST-requests
> around those times, ie. Dec 5 at 23:12.
> That is, of course, if the access logs are kept.
>
> --
> Tommy
>
> Magnus Hagander wrote:
> > First of all, it does seem reasonable that it's a web based
> piece of
> > sw that did/does it because there are several references to
> > www(at)svr2(dot)postgresql(dot)org in the Return-Path of the mails.
> >
> > On svr2, there are some mail-sending forms on the actual wwwmaster
> > site, but AFAICT they all go to fixed addresses, and take
> user input
> > only for contents.
> > I have no idea wrt techdocs. There were also several other sites
> > running it prior to the clenaup we did after someone broke
> into it earlier.
> >
> > As for that breakin, we discovered those processes on Nov
> 21st. But I
> > see at least one mail from Dec 5th in the list Gavin sent, so it's
> > clearly not that easy.
> >
> > Looking through some logs, it's very clear that this message was
> > picked up locally and not relayed:
> > maillog.5:Dec 5 23:12:48 svr2 postfix/pickup[33303]: 86C0EF276A:
> > uid=80 from=<w
> > ww>
> > maillog.5:Dec 5 23:12:48 svr2 postfix/cleanup[33095]: 86C0EF276A:
> > message-id=<2
> > 0051205231248(dot)86C0EF276A(at)svr2(dot)postgresql(dot)org>
> > maillog.5:Dec 5 23:12:48 svr2 postfix/qmgr[4148]: 86C0EF276A:
> > from=<www(at)svr2(dot)po
> > stgresql.org>, size=3034, nrcpt=1 (queue active)
> >
> > (this is the mail at the very bottom of Gavins list)
> >
> > After this, it kept timing out for days before being
> delivered on Dec
> > 8th.
> >
> >
> >
> > Unfortunatly, all our websites run with the same userid, including
> > zope...
> >
> > //Magnus
> >
> >
> >
> >>-----Original Message-----
> >>From: Marc G. Fournier [mailto:scrappy(at)postgresql(dot)org]
> >>Sent: Sunday, December 11, 2005 9:15 AM
> >>To: Gavin M. Roy
> >>Cc: Marc G. Fournier; pgsql-www(at)postgresql(dot)org; Josh Berkus; Magnus
> >>Hagander; Dave Page
> >>Subject: Re: your mail
> >>
> >>On Sat, 10 Dec 2005, Gavin M. Roy wrote:
> >>
> >>
> >>>My next guess would be some sort of web based software that
> >>
> >>is being
> >>
> >>>exploited to send mail. Zope perhaps? What sites are
> >>
> >>running off of
> >>
> >>>srv2 and have any type of comment form that sends emails?
> >>
> >>Ah, okay ... that I'll have to defer to Dave et al ... Zope
> is running
> >>over there for techdocs, and there was that python script
> that we just
> >>recently found ... I'm having a bugger of a time reading
> the email(s)
> >>you sent, since I can't seem to find where one ends and the next
> >>starts ...
> >>the ones I've been able to 'pick out' all seem to revolve
> around the
> >>1st/2nd of December ... Magnus/Dave, was that about the
> same time that
> >>we found those errant processes?
> >>
> >>
> >> >
> >>
> >>>Gavin
> >>>
> >>>On Dec 10, 2005, at 11:36 PM, Marc G. Fournier wrote:
> >>>
> >>>
> >>>>First I've seen of this, sorry it was overlooked ...
> >>>>
> >>>>But, borg isn't an open relay:
> >>>>
> >>>>%rlytest -f scrappy(at)postgresql(dot)org -u scrappy(at)hub(dot)org
> >>>>borg.postgresql.org Connecting to borg.postgresql.org ...
> >>>><<< 220 borg.postgresql.org ESMTP Sendmail 8.13.1/8.13.1;
> >>
> >>Sat, 10 Dec
> >>
> >>>>2005
> >>>>23:31:26 -0800 (PST)
> >>>>
> >>>>>>>HELO postgresql.org
> >>>>
> >>>><<< 250 borg.postgresql.org Hello postgresql.org [200.46.204.71],
> >>>>pleased to meet you
> >>>>
> >>>>>>>MAIL FROM:<scrappy(at)postgresql(dot)org>
> >>>>
> >>>><<< 250 2.1.0 <scrappy(at)postgresql(dot)org>... Sender ok
> >>>>
> >>>>>>>RCPT TO:<scrappy(at)hub(dot)org>
> >>>>
> >>>><<< 550 5.7.1 <scrappy(at)hub(dot)org>... Relaying denied
> >>>>rlytest: relay rejected - final response code 550
> >>>>
> >>>>
> >>>>And I just checked svr2.postgresql.org, and she's closed
> >>
> >>from what I
> >>
> >>>>can tell also:
> >>>>
> >>>># telnet svr2.postgresql.org smtp
> >>>>Trying 65.19.161.25...
> >>>>Connected to svr2.postgresql.org.
> >>>>Escape character is '^]'.
> >>>>220 svr2.postgresql.org ESMTP Postfix ehlo hub.org
> >>>>250-svr2.postgresql.org 250-PIPELINING 250-SIZE 10240000 250-VRFY
> >>>>250-ETRN 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 250
> >>
> >>8BITMIME mail
> >>
> >>>>from: scrappy(at)hub(dot)org 250 Ok rcpt to: scrappy(at)freebsd(dot)org
> >>>>554 <scrappy(at)freebsd(dot)org>: Relay access denied
> >>>>
> >>>>
> >>>>Is there something else I should be testing/checking for?
> >>>>
> >>>>
> >>>>
> >>>
> >>----
> >>Marc G. Fournier Hub.Org Networking Services
> >>(http://www.hub.org)
> >>Email: scrappy(at)hub(dot)org Yahoo!: yscrappy
> >> ICQ: 7615664
> >>
> >
> >
> > ---------------------------(end of
> > broadcast)---------------------------
> > TIP 3: Have you checked our extensive FAQ?
> >
> > http://www.postgresql.org/docs/faq
> >
>
>