You must upgrade your perl IO module to at least...ERROR

Bjorgen T. Eatinger beatinger at edenhosting.net
Thu Jan 3 14:12:28 GMT 2008


Martin,

I also received this error and used CPAN to upgrade the IO package using "install IO"

This fixed the Perl IO package issue which prevented MailScanner from loading.

Pretty scary for about 30-minutes...upgraded to latest version and killed our mail server!

Jay Eatinger

Eden USA, Inc.
t. 866-501-3336
f. 866-502-3336


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of mailscanner-request at lists.mailscanner.info
Sent: Thursday, January 03, 2008 4:02 AM
To: mailscanner at lists.mailscanner.info
Subject: MailScanner Digest, Vol 25, Issue 4

Send MailScanner mailing list submissions to
        mailscanner at lists.mailscanner.info

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.mailscanner.info/mailman/listinfo/mailscanner
or, via email, send a message with subject or body 'help' to
        mailscanner-request at lists.mailscanner.info

You can reach the person managing the list at
        mailscanner-owner at lists.mailscanner.info

When replying, please edit your Subject line so it is more specific
than "Re: Contents of MailScanner digest..."


Today's Topics:

   1. Re: Off Topic - Can someone help? (ajos1 at onion.demon.co.uk)
   2. Re: Off Topic - Can someone help? (ajos1 at onion.demon.co.uk)
   3. Re: Off Topic - Can someone help? (Hugo van der Kooij)
   4. RE: MailScanner ANNOUNCE: New 4.66.5 released (Randal, Phil)
   5. ERROR: You must upgrade your perl IO module to at least
      (Martin Garcia)
   6. Re: Off Topic - Can someone help? (Michael Choo)
   7. RE: Off Topic - Can someone help? (Martin.Hepworth)
   8. Re: Off Topic - Can someone help? (Miguel Koren O'Brien de Lacy)
   9. [off topic] - usernames with special chracters
      (Miguel Koren O'Brien de Lacy)
  10. Re: [off topic] - usernames with special chracters
      (Anthony Cartmell)


----------------------------------------------------------------------

Message: 1
Date: Thu, 03 Jan 2008 05:04:58 +0000
From: "ajos1 at onion.demon.co.uk" <ajos1 at onion.demon.co.uk>
Subject: Re: Off Topic - Can someone help?
To: mailscanner at lists.mailscanner.info
Cc: ajos1 at onion.demon.co.uk
Message-ID: <sentthu03jan20080504580000ajos1 at www.sonicbadger.com>
Content-Type: text/plain

-

Further update...

I have had to close down the SMTP Port 25 for a few hours to hope these people go away!


I forgot to add these details:

I am:

= Sendmail 8.14.1/8.14.1
= MailScanner 4.66.5

Also... my Snort system has registered... over 7000 "(portscan) Open Port: 25" entries in the last 2 hours!  From these IPs.

210.59.228.42
210.59.228.65
210.59.228.93
210.59.228.113
139.175.54.239


------------------------------

Message: 2
Date: Thu, 03 Jan 2008 05:16:36 +0000
From: "ajos1 at onion.demon.co.uk" <ajos1 at onion.demon.co.uk>
Subject: Re: Off Topic - Can someone help?
To: mailscanner at lists.mailscanner.info
Cc: ajos1 at onion.demon.co.uk
Message-ID: <sentthu03jan20080516360000ajos1 at www.sonicbadger.com>
Content-Type: text/plain

>>
>> Peter Nitschke wrote:
>>
>> Very wild guess, but they may be exploiting a web server on that PC.
>>
>>   relay=localhost.localdomain [127.0.0.1]
>>

I thought that might be the case... and I have had a look at all of the httpd logs... and there is nothing there to suggest a web-hack.  In fact website usage is very minimal and from UK sources.


------------------------------

Message: 3
Date: Thu, 03 Jan 2008 07:29:25 +0100
From: Hugo van der Kooij <hvdkooij at vanderkooij.org>
Subject: Re: Off Topic - Can someone help?
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <477C80C5.7090503 at vanderkooij.org>
Content-Type: text/plain; charset=ISO-8859-1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ajos1 at onion.demon.co.uk wrote:

> I think I have a safe-ish system... (ie) not an open relay and so on... but TONIGHT all of a sudden something/someone is "suposably" able to relay.

You are broken in to in some manner. Unless you take the system offline
you will be sending spam and are to be held accountable.

> Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955: from=<dwkscy at yahoo.com>, size=1658, class=0, nrcpts=1, msgid=<MESUDDUFSUEWDFVOVABXGNCN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

Your SMTP client lives localy.

> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: from=<okorfhzoaiadke at yahoo.com>, size=6253, class=0, nrcpts=51, msgid=<CYSGRANINJSFZUJCWXBWXXN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]

And agaim.

So you need to take the system offline and start forensics on the unit.
As it is you should not trust ANYTHING on that machine. So anything you
use to investigate needs to be started from a ReadOnly medium and not
the system itself.

I would start with the usual suspects like an SSH break in, ....

Hugo.

- --
hvdkooij at vanderkooij.org               http://hugo.vanderkooij.org/
PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc

        A: Yes.
        >Q: Are you sure?
        >>A: Because it reverses the logical flow of conversation.
        >>>Q: Why is top posting frowned upon?

Bored? Click on http://spamornot.org/ and rate those images.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFHfIDCBvzDRVjxmYERAt5+AJ4o3lMKzJvK9NiklyXEQuGDmE7pxwCgiAAo
zu88W1I9IC4qsfICJENFR6Q=
=JPNK
-----END PGP SIGNATURE-----


------------------------------

Message: 4
Date: Thu, 3 Jan 2008 07:07:59 -0000
From: "Randal, Phil" <prandal at herefordshire.gov.uk>
Subject: RE: MailScanner ANNOUNCE: New 4.66.5 released
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID:
        <7EF0EE5CB3B263488C8C18823239BEBA02819093 at HC-MBX02.herefordshire.gov.uk>

Content-Type: text/plain;       charset="us-ascii"

mailscanner-bounces at lists.mailscanner.info wrote:
> Happy New Year to you Jules!
>
> Just read your announcement and realized that you have made
> changes for use by MailWatch 2. As MailWatch 2 is far away
> from being published (will it be published for general use?)
> I am wondering, if these changes you made, do make problems,
> if one uses MailWatch Version 1.4?
>
> Thanks.
>
> Kind regards,
> Roland

It works fine with MailWatch 1.04.

Cheers,

Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK


------------------------------

Message: 5
Date: Thu,  3 Jan 2008 03:06:41 -0500
From: Martin Garcia <mgarcia at nettix.com.pe>
Subject: ERROR: You must upgrade your perl IO module to at least
To: mailscanner at lists.mailscanner.info
Message-ID: <20080103030641.3766gepvswcckgck at gateway.nettix.com.pe>
Content-Type: text/plain;       charset=ISO-8859-1;     DelSp="Yes";
        format="flowed"

Guys,

According to the late problems with perl-Mail-tools and perl-MIME-tools
I upgraded my server to 4.66 but im finding the below.

Could you give me some lights on it? what should be the minimum version?
where I can find an apropiate rpm? I use the latest rpmforge and centos repos.

Im using CentOS 4.6 x386

Thanks in advance

Cualquier duda o consulta estoy a su disposicion.

Atentamente / Sincerely


MARTIN GARCIA
Consultor Linux y redes
Nettix Peru
telf: +(511)9735-4848
<http://www.nettix.com.pe>
mailto:mgarcia at nettix.com.pe

[root at gateway es]# service MailScanner restart
Shutting down MailScanner daemons:
          MailScanner:                                      [FAILED]
          incoming postfix:                                 [  OK  ]
          outgoing postfix:                                 [  OK  ]
Waiting for MailScanner to die gracefully  dead.
Starting MailScanner daemons:
          incoming postfix:                                 [  OK  ]
          outgoing postfix:                                 [  OK  ]
          MailScanner:

**** ERROR: You must upgrade your perl IO module to at least
**** ERROR: version 1.2301 or MailScanner will not work!

                                                            [  OK  ]







----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



------------------------------

Message: 6
Date: Thu, 3 Jan 2008 16:12:52 +0800
From: Michael Choo <mcwh65 at gmail.com>
Subject: Re: Off Topic - Can someone help?
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <94CEC66B-87F1-4DD9-A624-DFE5985C02C5 at gmail.com>
Content-Type: text/plain; charset="us-ascii"


On 3 Jan  2008, at 12:22 PM, ajos1 at onion.demon.co.uk wrote:

> ###########
> #### Does anyone have a clue how I might be getting hacked???
> ###########

I've seen this on a customer's server before.

did snort report any outgoing irc traffic?

Close down Sendmail and kill all existing sendmail sessions.

do a "netstat -an" and see what ports and sessions are currently active.
chances are, port 6667 (Irc) is running, and probably got in via an
insecure user password.

chees
-Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080103/7c2ce816/attachment-0001.html

------------------------------

Message: 7
Date: Thu, 03 Jan 2008 08:43:34 +0000
From: "Martin.Hepworth" <martinh at solidstatelogic.com>
Subject: RE: Off Topic - Can someone help?
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID: <808501172b91e04e8a3132924197e54b at solidstatelogic.com>
Content-Type: text/plain;       charset="us-ascii"

Yeah, could be compromised php script that installed a root kit. Could be lots of things...

--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Hugo van der Kooij
> Sent: 03 January 2008 06:29
> To: MailScanner discussion
> Subject: Re: Off Topic - Can someone help?
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ajos1 at onion.demon.co.uk wrote:
>
> > I think I have a safe-ish system... (ie) not an open relay and so on...
> but TONIGHT all of a sudden something/someone is "suposably" able to
> relay.
>
> You are broken in to in some manner. Unless you take the system offline
> you will be sending spam and are to be held accountable.
>
> > Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955:
> from=<dwkscy at yahoo.com>, size=1658, class=0, nrcpts=1,
> msgid=<MESUDDUFSUEWDFVOVABXGNCN at yahoo.com>, bodytype=8BITMIME, proto=SMTP,
> daemon=MTA, relay=localhost.localdomain [127.0.0.1]
>
> Your SMTP client lives localy.
>
> > Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581:
> from=<okorfhzoaiadke at yahoo.com>, size=6253, class=0, nrcpts=51,
> msgid=<CYSGRANINJSFZUJCWXBWXXN at yahoo.com>, bodytype=8BITMIME, proto=SMTP,
> daemon=MTA, relay=localhost.localdomain [127.0.0.1]
>
> And agaim.
>
> So you need to take the system offline and start forensics on the unit.
> As it is you should not trust ANYTHING on that machine. So anything you
> use to investigate needs to be started from a ReadOnly medium and not
> the system itself.
>
> I would start with the usual suspects like an SSH break in, ....
>
> Hugo.
>
> - --
> hvdkooij at vanderkooij.org               http://hugo.vanderkooij.org/
> PGP/GPG? Use: http://hugo.vanderkooij.org/0x58F19981.asc
>
>       A: Yes.
>       >Q: Are you sure?
>       >>A: Because it reverses the logical flow of conversation.
>       >>>Q: Why is top posting frowned upon?
>
> Bored? Click on http://spamornot.org/ and rate those images.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFHfIDCBvzDRVjxmYERAt5+AJ4o3lMKzJvK9NiklyXEQuGDmE7pxwCgiAAo
> zu88W1I9IC4qsfICJENFR6Q=
> =JPNK
> -----END PGP SIGNATURE-----
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!




**********************************************************************
Confidentiality : This e-mail and any attachments are intended for the
addressee only and may be confidential. If they come to you in error
you must take no action based on them, nor must you copy or show them
to anyone. Please advise the sender by replying to this e-mail
immediately and then delete the original from your computer.
Opinion : Any opinions expressed in this e-mail are entirely those of
the author and unless specifically stated to the contrary, are not
necessarily those of the author's employer.
Security Warning : Internet e-mail is not necessarily a secure
communications medium and can be subject to data corruption. We advise
that you consider this fact when e-mailing us.
Viruses : We have taken steps to ensure that this e-mail and any
attachments are free from known viruses but in keeping with good
computing practice, you should ensure that they are virus free.

Red Lion 49 Ltd T/A Solid State Logic
Registered as a limited company in England and Wales
(Company No:5362730)
Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU,
United Kingdom
**********************************************************************



------------------------------

Message: 8
Date: Thu, 03 Jan 2008 08:53:12 -0200
From: "Miguel Koren O'Brien de Lacy" <miguelk at konsultex.com.br>
Subject: Re: Off Topic - Can someone help?
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Message-ID: <477CBE98.8000201 at konsultex.com.br>
Content-Type: text/plain; charset=UTF-8

I had a similar, mysterious problem like this a few years ago. What
happened is that the same server was running Apache and it was
configured improprely as a proxy by letting anyone use it as a proxy, so
some spam systems were detecting that and using Apache to send those
emails. I reconfigured Apache, following some guidelines from the Apache
web site and the problem went away. There are some emails from me about
this possibly in 2004 on this mailing list.

I had the "ProxyPass" directive on and this let the spammers use apache
as a route to sendmail.

Check for something like this in your apache log:

access_log:168.61.4.12 - - [08/Aug/2004:16:54:45 -0300] "POST
http://168.61.5.196:25/ HTTP/1.0" 200 2027

Maybe this can help you before you reinstall the OS.

Miguel

ajos1 at onion.demon.co.uk escreveu:
> -
>
> Off Topic - Can someone help?
>
> I am sending this for 2 reasons:
>
> (1) To let people know there might be something that they need to look out for...
>
> (2) I am hoping someone might tell me what I have got wrong with my system.
>
>
> I think I have a safe-ish system... (ie) not an open relay and so on... but TONIGHT all of a sudden something/someone is "suposably" able to relay.
>
>
> Hack example one is:  Sending from: dwkscy at yahoo.com to a2234455 at tomail.com.tw
>
> Hack example two is:  Sending from: okorfhzoaiadke at yahoo.com to zillions of people !!
>
> I tried telneting from a remote IP... and doing:  mail from: <a at yahoo.com>  and  rcpt to: <b at tomail.com.tw> .  And my system says that Relaying is denied...
>
> As a temporary stop... I have had to put this in my /etc/mail/access file
>
> /etc/mail/access
> ================
> To:tomail.com.tw     REJECT
>
>
> ###########
> #### Does anyone have a clue how I might be getting hacked???
> ###########
>
>
>
> [root at www log]# host -t mx tomail.com.tw
> ========================================
> tomail.com.tw mail is handled by 10 localhost.
>
>
>
> [root at www log]# grep -i 005955 maillog
> ======================================
> Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955: from=<dwkscy at yahoo.com>, size=1658, class=0, nrcpts=1, msgid=<MESUDDUFSUEWDFVOVABXGNCN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
> Jan  3 01:28:50 www sendmail[5955]: m031SgPv005955: to=<a2234455 at tomail.com.tw>, delay=00:00:02, mailer=esmtp, pri=31658, stat=queued
> Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: SYSERR(root): MX list for tomail.com.tw. points back to www.tbshs.herts.sch.uk
> Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: to=<a2234455 at tomail.com.tw>, delay=00:00:05, xdelay=00:00:00, mailer=esmtp, pri=121658, relay=tomail.com.tw., dsn=5.3.5, stat=Local configuration error
> Jan  3 01:28:53 www sendmail[5963]: m031SgPv005955: m031SrMj005963: DSN: Local configuration error
> Jan  3 01:29:03 www MailScanner[26370]: Logging message m031SgPv005955 to SQL
> Jan  3 01:29:03 www MailScanner[5971]: m031SgPv005955: Logged to MailWatch SQL
>
>
>
> [root at www log]# grep -i 008581 maillog
> ======================================
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: from=<okorfhzoaiadke at yahoo.com>, size=6253, class=0, nrcpts=51, msgid=<CYSGRANINJSFZUJCWXBWXXN at yahoo.com>, bodytype=8BITMIME, proto=SMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<s6721 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<siask at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<yuan0312 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<acut at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<dzj at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<a45211 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<yshs at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<jt10 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
> Jan  3 01:49:36 www sendmail[8581]: m031mFpI008581: to=<gl66 at mail.com.tw>, delay=00:01:16, mailer=esmtp, pri=1536253, stat=queued
>
> ==
> =====================================================================
> =
> = "I should have listened to myself earlier..."
> =
> =====================================================================
> =  Need help with: Parking Tickets, Bailiffs, Capita or HertsGrid???
> =  Call...    +44 8457 90 90 90    http://www.samaritans.org/
> =====================================================================
>

--
Esta mensagem foi verificada pelo sistema de antiv?rus e
 acredita-se estar livre de perigo.



------------------------------

Message: 9
Date: Thu, 03 Jan 2008 09:13:38 -0200
From: "Miguel Koren O'Brien de Lacy" <miguelk at konsultex.com.br>
Subject: [off topic] - usernames with special chracters
To: mailscanner at lists.mailscanner.info
Message-ID: <477CC362.7010706 at konsultex.com.br>
Content-Type: text/plain; charset=UTF-8

Today I also have an off topic question and I'm sure someone on this
list knows about this. On Fedora Core 7 I now have several domains and I
need to have users with user names like "name at domain.com". I found that
this does not work without some tweaking because when the
/var/spool/mail mailbox is created, Fedora leaves out the "@domain.com"
and so there is a conflict when 2 users like "name at domain1.com" and
"name at domain2.com" are created. In other words, the mailbox file is just
"name" and not "name at domain1.com". Since I could not create the users I
was not able to test but I assume that the virtusertable will let me map
"name at domain.com" to something like "name at domain.com@localhost".

I'm sure that there are other ways to set up a system for accepcting
usernames like this but for several reasons on this server it would be
the easiest solution for me. Does anyone know if it is in fact possible
to have Fedora use usernames in this format and if so what needs to be
configured?

Thanks.

--
Esta mensagem foi verificada pelo sistema de antiv?rus e
 acredita-se estar livre de perigo.



------------------------------

Message: 10
Date: Thu, 03 Jan 2008 11:56:15 -0000
From: "Anthony Cartmell" <ajcartmell at fonant.com>
Subject: Re: [off topic] - usernames with special chracters
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Message-ID: <op.t4crf1qu53oa6f at ajc5.lan>
Content-Type: text/plain; format=flowed; delsp=yes; charset=utf-8

> Today I also have an off topic question and I'm sure someone on this
> list knows about this. On Fedora Core 7 I now have several domains and I
> need to have users with user names like "name at domain.com".

Hmmmm... sounds like sendmail?

> Since I could not create the users I
> was not able to test but I assume that the virtusertable will let me map
> "name at domain.com" to something like "name at domain.com@localhost".

If you're using standard sendmail, then no, it won't. Any string
containing an "@" on the RHS of virtusertable is deemed to be an e-mail
address, not a username.

> I'm sure that there are other ways to set up a system for accepcting
> usernames like this but for several reasons on this server it would be
> the easiest solution for me. Does anyone know if it is in fact possible
> to have Fedora use usernames in this format and if so what needs to be
> configured?

What mailer are you using? If it's sendmail then you can't have "@" in the
username, even though you can for the unix user. You'll need to substitute
something like "_" for the "@" for your sendmail account names.

You might need to investigate other mailers that handle virtual users
differently, if you want to keep "@" as a valid mail account character.

Hope this helps,

Anthony
--
www.fonant.com - Quality web sites


------------------------------

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read the Wiki (http://wiki.mailscanner.info/).

Support MailScanner development - buy the book off the website!


End of MailScanner Digest, Vol 25, Issue 4
******************************************

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list