Re: Attempt on smtpd / faking remote ip
Hi Andreas,
thanks a lot for your hints.
At 12:54 Uhr +0200 04.04.2004, Andreas John wrote:
It looks like your friend is trying to inject pakets into your smtp with
faked (spoofed) ips. In this particular case he sends as "localhost". I guess
...
more likely that he tries to overflow postfix (unprobable) or procmail (suid
root? postfix in chroot?) or your viruskiller or or or .....
It's very likely that you are right with this. Of course, postfix is in chroot.
Another possibility is that you have an http-server with a "formmail" in this
boxen. Mail via this from come from localhost. It's an usual manner from
spammers to exploit self-written mailforms by putting new header lines (To and
CC) into to subject line of the form. (I had a case where they even put
I know this kind of attack - but it's not that easy on the server in
question: there is no standard "formmail.pl" or something like this.
I believe that my PHP based contact (done myself) form is quite
secure (there's no subject field or variable, all input is escaped
and so on).
I don't want to spread fear, so
1.) Boot superrescue, knoppix or so
2.) Run chkrootkit (deb package is mostly a little old)
3.) If you run chkrotokit on Debian, chkrootkit reports one false positive!
It'll be done!
Thanks again and have a good day!
Andreas
--
procommerz - Internet fuer Unternehmen
http://www.procommerz.de | 033925-90710
Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com
Reply to: