Re: postfix on wwwmaster.postgresql.org is shut down ...

Thanks, I'll send an abuse complaint to ev1, like they'll do anything.

Regards,

Gavin

On Dec 16, 2005, at 12:48 PM, Magnus Hagander wrote:

>> There are 23k messages in the queue right now that have been
>> 'received from localhost' by user www@svr2.postgresql.org ...
>> someone is making use of a 'hole' in one of our CGIs, but I
>> can't seem to figure out which one, so have let Dave/Magnus
>> know and hopefully they can figure out which one ...
>>
>> Until we've found and plugged the hole, postfix is down ...
>> if someone reports a problem with sending an email, please
>> let us know ...
>
>
> Problem identified.
>
> There was a horribly old and outdated version of awstats.pl on the
> system, that was for some reason linked in and possible to use without
> any authentication or anything. There are known security issues in it,
> and adding logging everywhere showed that that's what was exploited
> using the srv2.postgresql.org virtual server (which isn't even in
> used).
>
> I've disabled it in apache and removed the files from the server as
> well.
>
> Yet another example of why it's overdue that we're doing something
> about
> all the stuff that's installed and active, but not actually used :-
> ( But
> as that is work in progress now, I'll just wait for that to get
> done :-)
>
> I've re-enabled postfix after deleting all the spam in the queue.
>
> If someone wants to pursue it (Gavin?), the hits came in from
> 66.98.214.41, which is on ev1servers.net. There are still log files
> available showing four requests to it that coincided perfectly with
> spam
> mail entering the queue.
>
> //Magnus

Gavin M. Roy
800 Pound Gorilla
gmr@ehpg.net