[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] /etc/mail/access file being ignored

Subject: RE: [cobalt-security] /etc/mail/access file being ignored
From: "Keith Ford" <keith@xxxxxxxxxxxxxxxx>
Date: Fri, 16 Jan 2004 09:55:18 -0600
Organization: MemberClicks
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Title: Message

Turns out our sendmail binary had been compromised. It was ignoring the access file and pop-before-relay requirements. A reinstall fixed the symptoms, but we're still looking to determine what happened.

Plus a kudos to RaQ Aid who assisted us.

-keith

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx] On Behalf Of Brian Rahill
Sent: Wednesday, January 14, 2004 2:31 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] /etc/mail/access file being ignored

At 03:05 PM 1/14/2004, you wrote:

One interesting note, when they would connect to our sendmail it would see their IP, but they were identifying themselves with a server name that was our IP address. Still not sure how they were pulling off the relay, as their IP was not in popip.db. Doesn't poprelayd only look at /var/log/maillog?

Do you have any old formmail scripts on the server? Or any scripts based on formmail (such as yform)?

Brian

References:
- Re: [cobalt-security] /etc/mail/access file being ignored
  - From: Brian Rahill

Prev by Date: RE: [cobalt-security] Resetting Chkrootkit
Next by Date: RE: [cobalt-security] Resetting Chkrootkit
Previous by thread: Re: [cobalt-security] /etc/mail/access file being ignored
Next by thread: [cobalt-security] Resetting Chkrootkit

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index