Re: Attempt on smtpd / faking remote ip

[Andreas Vent-Schmidt <a.vent@procommerz.de>]

Hi Andreas,

thanks a lot for your hints.

At 12:54 Uhr +0200 04.04.2004, Andreas John wrote:
> It looks like your friend is trying to inject pakets into your smtp with
> faked (spoofed) ips. In this particular case he sends as "localhost". I guess
> ...
> more likely that he tries to overflow postfix (unprobable) or procmail (suid
> root? postfix in chroot?) or your viruskiller or or or .....

It's very likely that you are right with this. Of course, postfix is in chroot.

> Another possibility is that you have an http-server with a "formmail" in this
> boxen. Mail via this from come from localhost. It's an usual manner from
> spammers to exploit self-written mailforms by putting new header lines (To and
> CC) into to subject line of the form. (I had a case where they even put

I know this kind of attack - but it's not that easy on the server in 
question: there is no standard "formmail.pl" or something like this. 
I believe that my PHP based contact (done myself) form is quite 
secure (there's no subject field or variable, all input is escaped 
and so on).

> I don't want to spread fear, so
> 1.) Boot superrescue, knoppix or so
> 2.) Run chkrootkit (deb package is mostly a little old)
> 3.) If you run chkrotokit on Debian, chkrootkit reports one false positive!

It'll be done!

Thanks again and have a good day!
Andreas

--
procommerz - Internet fuer Unternehmen
http://www.procommerz.de | 033925-90710

Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com