[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Relay Mail Issue

Subject: [cobalt-security] Relay Mail Issue
From: "Malcolm Wild" <malcolm@xxxxxxxxxxx>
Date: Mon, 21 Aug 2000 10:49:51 -0700

I have had an odd relay hack on one of our RaQ2s which cobalt Europe hadn't
seen before and didn't know what caused it.

Incident:
We received several emails daily from one of our RaQ2 saying that it was
"out of memory", the "CPU was overloaded" & the "mail server had stopped",
but when we logged in all was well and the system was running very low
resources.

We occasional receive automated emails like this when the system is backing
up via FTP and under load. However these emails we received at odd times
(not around the backup time)

After a couple of days of getting these the guys informed me, so I took a
look to find PROCMAIL running dozens of small processes.

	(PROCMAIL is the program that forwards/relays the mail on Cobalt machines)

The PROCMAIL appeared to be initiated by a users on the system.  However the
user doesn't have email forwarding & his pop account mailbox was empty.

I attempted to kill several of the processes and they continued to spawn
child ones. Using PS AX command the emails where being set to accounts like
anon@xxxxxxxxxxxxxxxxxxxxxxxxxxx, in an attempt to Spam through our server.

We contacted the client to confirm that he wasn't doing anything that he
shouldn't, we shutdown procmail and changed the ROOT password and the USERS
password.

The issue stopped.

However Cobalt Euro (ALEX) witnessed this and could give no explanation as
to where the weakness was.
We checked the Relay IP/Domains and tightened these settings
But the issue that concerned us the most was that the PROCMAIL appeared to
be using a valid USERNAME from the RaQ,

has the machine been compromised ?????? Cos Cobalt sure can't tell!!!!




Anyone got any ideas ???????????


Server:
RaQ2 MIPS250 with Secure Patch3 installed and POP before SMTP

Information:
The user account in question does not have shell access
Had never FTP'd into the site
The only logon is via POP
His SMTP is handled via his own ISP
He has no mailing lists (majardomo) running
He has no CGI scripts running
He does not have mail forwarding enabled
No FrontPage Extensions
No Server Side Includes

Follow-Ups:
- Re: [cobalt-security] Relay Mail Issue
  - From: Kevin D

Prev by Date: [cobalt-security] QPOP Question (Again)
Next by Date: Re: [cobalt-security] Relay Mail Issue
Previous by thread: [cobalt-security] QPOP Question (Again)
Next by thread: Re: [cobalt-security] Relay Mail Issue

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index