Potential Postfix CentOS message unpacking bug

Alex Neuman van der Hans alex at rtpty.com
Mon Sep 15 14:40:28 IST 2008


I'm not affected since I use sendmail, but if you guys post a brief  
howto regarding submitting samples I'll be glad to help.

---

Alex Neuman
Reliant Technologies
+507 6781-9505
Skype: alexneuman

On Sep 15, 2008, at 7:26 AM, Andreas Kasenides <Andreas.Kasenides at cs.ucy.ac.cy 
 > wrote:

> Julian Field wrote:
>>
>> As some of you may have already realised, a few people are having a  
>> problem on particular OS's when using Postfix, where a message  
>> generated by a particular Trojan are not being unpacked properly.
>>
>> So Postfix users on CentOS, please can you check your logs for any  
>> 16-17Kb spams which could possibly containing an attachment called  
>> "start.zip" (grep should find it in raw queue files, if you're  
>> wondering how to do that for raw queue files), which have not  
>> always been detected as infected.
>>
>> You might want to use the "Archive Mail" feature of  
>> MailScanner.conf for a while to see if you're getting anything like  
>> that, in case you are suffering the problem.
>>
>> We would very much like to know how widespread this problem is, so  
>> please report back with your findings and we'll take a straw poll  
>> of the respondents.
>>
>> Thanks folks!
>>
>> Jules
>>
> Running MS 4.71.10 with Postfix 2.3.3 and CentOS 5.2.
> Many of these, actually 79 in the last 36 hours or so have been  
> caught successfully.
>
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ 
> MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:  
> Trojan.Fakealert-532 FOUND
> Sep 14 07:25:29 iolaos-new MailScanner[15957]: /var/spool/ 
> MailScanner/incoming/15957/./C8E378C2A5.BBD68/start.zip:  
> Trojan.Fakealert-532 FOUND
> Sep 14 07:26:05 iolaos-new MailScanner[15906]: /var/spool/ 
> MailScanner/incoming/15906/./6C6408C2A7.5DEC0/start.zip:  
> Trojan.Fakealert-532 FOUND
> Sep 14 07:30:16 iolaos-new MailScanner[16162]: /var/spool/ 
> MailScanner/incoming/16162/./C5C768C2AA.09A93/start.zip:  
> Trojan.Fakealert-532 FOUND
> .......
> cat maillog|grep DC59F8C275.169EC
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ 
> MailScanner/incoming/16162/./DC59F8C275.169EC/start.zip:  
> Trojan.Fakealert-532 FOUND
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: /var/spool/ 
> MailScanner/incoming/16162/./DC59F8C275.169EC/Start.exe:  
> Trojan.Fakealert-532 FOUND
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: Infected message  
> DC59F8C275.169EC came from 83.206.158.181
> Sep 14 07:25:25 iolaos-new MailScanner[16162]: Filename Checks:   
> (DC59F8C275.169EC Start.exe)
>
>
> Andreas
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080915/1a67173d/attachment.html


More information about the MailScanner mailing list