On Sun, Mar 13, 2005 at 03:16:02AM -0500, Eli wrote:
> Server doesn't have to be "hacked" to be compromised. As stated, the phpBB
> and AWStats exploits can leave no traces except what is in your web server
> log entries. I know, I've got servers that have been hit by these exploits.
You'd be much more likely to try and mail a passwd file than a group file in
that instance, but I'd like to hope that it mostly doesn't work anymore, due
to a mass move to shadow passwording several years ago.
[snip]
> This doesn't seem to look like the work of a leaked file descriptor though.
Errr? how do you come to that conclusion?
> I would expect random behaviour in that - targetting those files sounds a
> bit too fishy. I don't even think Exim opens those files directly in a
No. Not at all!
> standard situation, does it? Unless you have lookups set to query those
> files, I thought any user lookups were done via system calls, not directly
> querying the files? That's pure speculation - I haven't checked source code
> to be sure or not.
The only *system calls* that will be involved will be to open() those files.
The libc wraps that up in other stuff.
What this looks like to me is that because of the sync error, the fd is
being closed but the variable containing that fd is not unset, some later
bit of code does some kind of getgrent() call, and then tries to read from
the smtp input fd, which now is refers to the /etc/group file.
[snip]
> Do the other services the system offers have logs as well? Cross reference
> that IP with all your other system logs and see what you turn up.
This is a good suggestion anyway, IMO.
Cheers
MBM
--
Matthew Byng-Maddick <mbm@???> http://colondot.net/
(Please use this address to reply)
