RE: [exim] Re: [exim-dev] buffer overflow?

Mark wrote:
> For example (wrapped and truncated):
>
> 2005-03-12 02:14:20 SMTP protocol violation: synchronization
> error (input sent without waiting for greeting): rejected
> connection from H=[218.109.116.199] input="# $FreeBSD:
> src/etc/group,v 1.19.2.3 2002/06/30
> 17:57:17 des Exp $\n#\nwheel:*:0:root,admin\ndaemon:*:1:daemon\n.....
>
> I see maybe 25 of these a day. Always related to a sync
> error, usually from different IPs, always the group file
> never anything else, and on multiple machines. Only started
> with 4.50 and I've absolutely no doubt that this is NOT the
> result of cracked server.

I haven't read all the replies to this thread past this one, but here's a
stab in the dark...

I have a feeling Exim is just fine, and instead what you are all seeing is
the result of a recent series of server hacks? A hack is e-mailing someone
elses passwd and group files to servers and it does it by simply catting the
file as imput thus generates a sync error.

Can you verify this *is* your group file you're seeing? Put a unique ID at
the top line and see if you get that from now on in your log files? Or,
maybe even worse your own system is compromised somehow (there's the phpBB
hack recently, and slightly newer is the hack for AWStats) and they're
catting your own files to your own system? The group and passwd files are
readable by all users - here's to hoping you all use shadow password files!

Eli.