Re: [Mailman-Users] message about probes
See inline comments below. On 04/29/2009 11:34 AM, Steff Watkins wrote: -Original Message- From: mailman-users-bounces+s.watkins=nhm.ac...@python.org [mailto:mailman-users-bounces+s.watkins=nhm.ac...@python.org] On Behalf Of Stephen J. Turnbull Sent: 29 April 2009 16:29 To: Mark Sapiro Cc: Gruver, Sandi; 'mailman-users@python.org' Subject: Re: [Mailman-Users] message about probes Mark Sapiro writes: > Gruver, Sandi wrote: > > 2 possible successful probes > > /mailman/private/sqlhelp///includes/session.php?baseDir=../../ ../../../../../../etc/passwd HTTP Response 200 > > I saw the same thing in my Logwatch the other day. These > messages are reported in the httpd report. These are, IMNSHO, attempts by persons (or scripts or bots) to attempt to "exploit" a potential hole that may be in your setup. Of course, if the hole isn't in your setup then they get no success and so no exploit. Ho hum, they'll say, and move on to one of the X hundred millions of other websites on the internet and try again. It's "shotgun principle"; take a shotgun into a field with 100 crows, fire the shotgun and you're bound to hit at least one crow. Aha, I see where I went wrong ... /mailman is an Apache ScriptAlias (or equivalent), isn't it. (I prefer a cgi-bin ScriptAlias so it's immediately obvious what the URL is supposed to resolve to.) I think you may be mixing up concepts here, or rather splitting a concept. A ScriptAlias under Apache points to a cgi-bin location and so it IS a "cgi-bin alias". They're both "obvious" where they point to if you look through the webserver config file. As Apache is one of the major players in the webserver market, it is likely that your install of Mailman runs under Apache and so technically it'd be an Apache ScriptAlias to Mailman! :) Good to know that this probably isn't a problem after all. But do check the logs to make sure that it is mailman's CGIs that are being accessed! I did a quick scan through the code of my local Mailman setup and could not find a session.php file. If anything this looks like an attempt by someone or something to try and exploit one of the many CMS systems that are out there that have session handlers written into their code Or possibly a bulletin board system or two! The attempt works by calling a php script called session.php which is passed the variable 'baseDir=../../../../../../../../etc/passwd'. Whatever script this is targetted at has probably been found to have a duff sanitising routine and so will probably evaluate it directly. If the script is NOT buried more than 8 levels of sub-directory down the target website it will eventually evaluate to "/etc/passwd". The script is labelled as "includes" so I'm guessing it is meant to just reurn the contents of the requested file. In this case, it'd be /etc/passwd. This in itself is of questionable use. They could potentially get some usernames out of it if it worked but most likely would not get many (or any) of the encrypted password hashes as they are stored in the /etc/shadow file (usually, depending on O/S). It could be used to spoof addresses of valid list members in spam to lists. Mark, do you understand what the attacker is trying to exploit here? It's not at all obvious to me. They're attempting to force a script to return to contents of the password file. Since /mailman/ is a scriptalias, and those are both actual scripts, it's mailman/private and mailman/admin that are going to be interpreting everything after the script name. Hhmm... Except the /mailman/ scriptalias itself points to a directory... which is marked up as "active content" by virtue of being a script alias. Now, unless you have had a really bad run of luck and the person who setup Mailman felt they really needed a 'backdoor' in to be able to see what was in there and so setup a htaccess file/index.php, what SHOULD happen is a call to http://blahblah/Mailman/ will return a big fat juicy failure message telling the user/bot that they are not allowed to look there. The next segment of the path is the listname, and anything after that is either garbage or a query about the list, so I can't see an attempt to exploit mailman here, despite the fact that they're specifically invoking mailman CGIs. Am I missing something? I'd guess that it was not a Mailman specific 'attack', mainly because of the call to includes/session.php. A poorly setup webserver could, maybe, possibly, ever so slightly try and satisfy the request but if you have a setup like that then it's not really hackers/crackers/phreakers you have to worry about more than your sysadmin/webadmin who has let that setup run on the public internet in the first place. I think that this has raised a good point though. If you spot 'questionable activity' to your webserver systems then it's probably wise to spend a few minutes looking at it, cut'n'pasting the s
Re: [Mailman-Users] mail to non-existing list - Part two
It really does seem like that. See what postmaster is aliased to. My server's /etc/aliases has several entries like this: admin: root bin:root adm:root mail: root apache: root mailnull: root smmsp: root postfix:root system: root abuse: root webmaster: root mailer-daemon: postmaster postmaster: root mailman:postmaster info: postmaster marketing: postmaster sales: postmaster support:postmaster Note that postmaster is aliased to root, and root is later aliased to a real person's address. It seems like his postmaster is aliased to mail...@his_server.edu. On 04/24/2009 10:04 AM, Larry Stone wrote: On Fri, 24 Apr 2009, Jeff Bernier wrote: I have tested this by just making up names on-the-fly like nolist, or xyzlist, and get this result every time. Sounds like you have a catchall address pointing to the Mailman list address. -- Larry Stone lston...@stonejongleux.com -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/donna%40brainvis.wustl.edu Security Policy: http://wiki.list.org/x/QIA9 -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Users] Want posts from mylist to mylist to be held
On 04/22/2009 09:23 AM, Mark Sapiro wrote: Donna Dierker wrote: Recently, a spam message was successfully posted to mylist. The "From" field showed myl...@myserver.edu (i.e., the same address that one uses when posting *to* mylist). Looking in the list of subscribers, I don't see 'mylist' as a member. And typically posts do not come from the list; rather, they are just posted *to* the list *from* an individual subscriber's email address. Why aren't posts *from* myl...@myserver.edu being rejected, since myl...@myserver.edu is a non-member from the point of view of the list? They should be. It may be too late to find why this one was accepted, but if you have access, you can find the post in the archives/private/LISTNAME.mbox/LISTNAME.mbox file and see some of the original headers. A post is considered to be from a list member if any of From:, Reply-To: or Sender: or the envelope sender is a list member. You're right, and in checking this I discovered another case of spam that I didn't notice earlier. In both cases, the spammer spoofed the From address of legitimate list members (but who clearly did not send these messages, since one of the spoofed addresses was mine). It is also possible, although not likely, that the spammer knows the list admin or moderator password and put an "Approved: password" header in the post, but if this was done, the evidence will be gone. I thought about putting From: myl...@myserver.edu in the spam filter, and setting the action to Hold; however, I don't want a message being sent to everyone on mylist every time a spam message gets held for moderator approval. I do, however, want these messages held, so I can inspect them. (Or at least a copy emailed to me, the list moderator, before the message is discarded.) This is difficult. You could use header_filter_rules to discard the message, but then you won't see it even with forward_auto_discards true because that applies only to moderated and non-member auto discards. If you hold the message, the notice to the sender, even if to the list, should not be accepted as it is from LISTNAME-bounces, but if you want to be really sure, you could set respond_to_post_requests to No so there is no held notice back to the poster. -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
[Mailman-Users] Want posts from mylist to mylist to be held
Hi mailman experts, My mailman list 'mylist' has non-member posts set to be rejected. This has done an excellent job of preventing spam in the past. Recently, a spam message was successfully posted to mylist. The "From" field showed myl...@myserver.edu (i.e., the same address that one uses when posting *to* mylist). Looking in the list of subscribers, I don't see 'mylist' as a member. And typically posts do not come from the list; rather, they are just posted *to* the list *from* an individual subscriber's email address. Why aren't posts *from* myl...@myserver.edu being rejected, since myl...@myserver.edu is a non-member from the point of view of the list? I thought about putting From: myl...@myserver.edu in the spam filter, and setting the action to Hold; however, I don't want a message being sent to everyone on mylist every time a spam message gets held for moderator approval. I do, however, want these messages held, so I can inspect them. (Or at least a copy emailed to me, the list moderator, before the message is discarded.) Thanks, Donna -- Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
