Re: Strange problem with mail...

To: debian-security@lists.debian.org
Cc: sgran@debian.org
Subject: Re: Strange problem with mail...
From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
Date: Fri, 27 Aug 2004 08:57:46 +0100
Message-id: <[🔎] 412EE97A.6060407@amazinginternet.com>
In-reply-to: <[🔎] 20040827015322.GB12887@www.lobefin.net>
References: <[🔎] 20040826173219.GC15482@burst.fcien.edu.uy> <[🔎] 200408262144.51898.jluehr@gmx.net> <[🔎] 20040826201813.GG14602@northernsecurity.net> <[🔎] 200408262257.44493.jluehr@gmx.net> <[🔎] 20040827015322.GB12887@www.lobefin.net>

Resending to correct address this time - list sender gets me every damn time.

Stephen Gran said at 27/08/04 02:53:

> This one time, at band camp, Jan Luehr said:
>
>> Greetings,...
>>
>> Am Donnerstag, 26. August 2004 22:18 schrieb Thomas Sjögren:
>>
>>> On Thu, Aug 26, 2004 at 09:44:51PM +0200, Jan Luehr wrote:
>>>
>>>> Greetings,....
>>>>
>>>> Am Donnerstag, 26. August 2004 19:32 schrieb UnKnown:
>>>>
>>>>> Hi ppl, first I wont to state that this is my first mail to this list,
>>>>> if by any chance this is not the right list to do so plz point me to
>>>>> the correct one.
>>>>> Last sunday the mail server start kicking process, actually it did such
>>>>> a mess, that it trow all daemons down. When I check the console this
>>>>> message was the only thing left:
>>>>> __alloc_pages: '-order allocation failed (gfp=0x....)
>>>>
>>>>
>>>> Ok. This looks like an exploit.
>>>> Wich Kernel do you use?
>>>> 2.4.26 is certainly not Woody-standard.
>>>> Are you able to find any binary causing these kind of messages?
>>>
>>>
>>> Sure it isnt the memory or filesystem?
>>> Some info:
>>> http://www.ussg.iu.edu/hypermail/linux/kernel/0404.2/1680.html
>>> http://mirror.hamakor.org.il/archives/linux-il/01-2004/8144.html
>>> http://lists.suse.com/archive/suse-linux-e/2003-Jul/1178.html
>>
>>

>> You may be right. I thought ReiserFS-Bugs in that way are relicts from thedark age of 2.4...>> However - failed memory allocation can also be a sympton of an exploittrying to access memory he shouldn't do ,)

>
>
> In this case, though, I think spamassassin was sparking OOM problems
> scanning an oversized email header block.  How exim wrote all those
> headers is another question, though - it shouldn't be doing that,
> I wouldn't think.

I've seen similar headers from exim (woody) where a bounce was trying to bedelivered where the MX records pointed to 0.0.0.0 or something similar (don'trecall exactly). Setting "ignore_target_hosts = 127.0.0.0/8 : 0.0.0.0/8"helped in that case though, having had a quick look, it doesn't seem to be thecase here.


I do suspect some simliar loop though.

Ronny
--
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Reply to:

Follow-Ups:
- Re: Strange problem with mail...
  - From: UnKnown <rak@burst.fcien.edu.uy>

References:
- Strange problem with mail...
  - From: UnKnown <rak@burst.fcien.edu.uy>
- Re: Strange problem with mail...
  - From: Jan Luehr <jluehr@gmx.net>
- Re: Strange problem with mail...
  - From: Thomas Sjögren <thomas@northernsecurity.net>
- Re: Strange problem with mail...
  - From: Jan Luehr <jluehr@gmx.net>
- Re: Strange problem with mail...
  - From: Stephen Gran <sgran@debian.org>

Prev by Date: Re: !SPAM! [Full-Disclosure] Automated ssh scanning
Next by Date: Re: [Full-Disclosure] Automated ssh scanning
Previous by thread: Re: Strange problem with mail...
Next by thread: Re: Strange problem with mail...
Index(es):
- Date
- Thread