[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Attempt on smtpd / faking remote ip

Hi Andreas,

thanks a lot for your hints.

At 12:54 Uhr +0200 04.04.2004, Andreas John wrote:
It looks like your friend is trying to inject pakets into your smtp with
faked (spoofed) ips. In this particular case he sends as "localhost". I guess
more likely that he tries to overflow postfix (unprobable) or procmail (suid
root? postfix in chroot?) or your viruskiller or or or .....

It's very likely that you are right with this. Of course, postfix is in chroot.

Another possibility is that you have an http-server with a "formmail" in this
boxen. Mail via this from come from localhost. It's an usual manner from
spammers to exploit self-written mailforms by putting new header lines (To and
CC) into to subject line of the form. (I had a case where they even put

I know this kind of attack - but it's not that easy on the server in question: there is no standard "formmail.pl" or something like this. I believe that my PHP based contact (done myself) form is quite secure (there's no subject field or variable, all input is escaped and so on).

I don't want to spread fear, so
1.) Boot superrescue, knoppix or so
2.) Run chkrootkit (deb package is mostly a little old)
3.) If you run chkrotokit on Debian, chkrootkit reports one false positive!

It'll be done!

Thanks again and have a good day!

procommerz - Internet fuer Unternehmen
http://www.procommerz.de | 033925-90710

Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com

Reply to: