Potential Postfix CentOS message unpacking bug
Alex Neuman van der Hans
alex at rtpty.com
Mon Sep 15 14:40:28 IST 2008
I'm not affected since I use sendmail, but if you guys post a brief
howto regarding submitting samples I'll be glad to help.
---
Alex Neuman
Reliant Technologies
+507 6781-9505
Skype: alexneuman
On Sep 15, 2008, at 7:26 AM, Andreas Kasenides <Andreas.Kasenides at cs.ucy.ac.cy
> wrote:
> Julian Field wrote:
>>
>> As some of you may have already realised, a few people are having a
>> problem on particular OS's when using Postfix, where a message
>> generated by a particular Trojan are not being unpacked properly.
>>
>> So Postfix users on CentOS, please can you check your logs for any
>> 16-17Kb spams which could possibly containing an attachment called
>> "start.zip" (grep should find it in raw queue files, if you're
>> wondering how to do that for raw queue files), which have not
>> always been detected as infected.
>>
>> You might want to use the "Archive Mail" feature of
>> MailScanner.conf for a while to see if you're getting anything like
>> that, in case you are suffering the problem.
>>
>> We would very much like to know how widespread this problem is, so
>> please report back with your findings and we'll take a straw poll
>> of the respondents.
>>
>> Thanks folks!
>>
>> Jules
>>
> Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2.
> Many of these, actually 79 in the last 36 hours or so have been
> caught successfully.
>
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/
> MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:
> Trojan.Fakealert-532 FOUND
> Sep 14 07:25:29 iolaos-new MailScanner[15957]: /var/spool/
> MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip:
> Trojan.Fakealert-532 FOUND
> Sep 14 07:26:05 iolaos-new MailScanner[15906]: /var/spool/
> MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip:
> Trojan.Fakealert-532 FOUND
> Sep 14 07:30:16 iolaos-new MailScanner[16162]: /var/spool/
> MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip:
> Trojan.Fakealert-532 FOUND
> .......
> cat maillog|grep DC59F8C275.169EC
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/
> MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:
> Trojan.Fakealert-532 FOUND
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/
> MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe:
> Trojan.Fakealert-532 FOUND
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message
> DC59F8C275.169EC came from 83.206.158.181
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks:
> (DC59F8C275.169EC Start.exe)
>
>
> Andreas
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1a67173d/attachment.html
More information about the MailScanner
mailing list