| |
| |
| |
|
Page: 1 2 3 4 5 6
Comments:
<0> bleh
<0> i like my GUI, but all of the plugins and other nonsense to browsers remind me of what happened to emacs
<1> haha
<0> i'll use program A to do foo and program B to do bar, tyvm. it's NOT THAT HARD PEOPLE!
<0> ;p
<1> emacs has mozilla included in base
<0> hahahaha
<0> case in point
<2> RedACE, Great thx...
<3> where do I find the .exrc file for vi?
<4> anyone good with making debian packages? How can I get debuild to ignore .svn directories when it tars up the source?
<5> hmm, bash was being ran as APACHE , and that process was using 99% OF CPU, how can this be? whats going on? and how can i stop this from happening?
<6> anyone can run a process and make it appear as something els
<6> else*
<7> woah weird..
<7> i just got an email from my server with spam as if I sent it
<7> my uid in the headers and all
<6> why is that weird?
<7> mail logs have it.. so it's not php something
<7> because I didn't send it
<6> so?
<6> anyone can say they are anyone when sending mail
<7> not with my server
<6> oh ok
<6> :/
<0> RedACE, the SMTP protocol allows it, yes
<0> but there are several checks on most servers nowadays that look for spoofing
<0> unfortunately, there are still a LOT of servers out there that do NOT do any of those checks. "open relays"
<6> gee thanks
<0> they are the source of much grief and nonsense and are exploited daily.
<7> hmm nothing very interesting in the http logs
<6> look at the full headers of the email
<6> where did it come from?
<7> where the heck did this come from..
<6> look at the full headers of the email
<7> it says it was me uid=1000 <robi>
<6> that's all the full headers say, eh?
<7> Received: by zmaj (Postfix, from userid 1000)
<7> id B89091E407D; Thu, 22 Jun 2006 08:19:15 -0700 (PDT)
<7> somehow postfix sent it
<7> the weird thing is why send it directly to me and noone else
<7> that;s the freaky thing
<7> Jun 22 08:19:15 toldyouso postfix/pickup[30656]: B89091E407D: uid=1000 from=<rob
<7> i>
<7> then it does a cleanup and smtp to my gmail account which isn't listed there
<7> then there's anvil doing stats
<7> hmmm
<7> it looks exactly like I had sent it from my mail client
<7> how can that be
<7> any ideas ?
<8> Yeah, I have an idea! But I'll need a box of rutabagas, a little K-Y jelly, and 5 or 6 rabid platypuses. And keep the Cabal off my back for the next few hours!
<7> heh
<9> skdlfhl32
<1> sounds like the name of a good virus
<10> xDD
<7> this is not making any sense
<11> o rly?
<7> how the hell can someone send mail as me
<11> telnet
<11> :p
<7> no
<7> it says it was local
<6> pastebin full headers
<7> somehow invoked as if I used mutt, cept the headers dont show a useragent or other niceties
<7> eh i crashed pastebin
<11> :p
<1> so it was sent locally?
<7> sec
<1> there was no TCP smtp connection?
<7> right
<1> was it like uid@hostname ?
<7> i'll show you hold on
<1> not some sort of housekeeping script, a crontab set to run under your uid.
<1> alright
<1> ta
<7> ok **** pastebin
<7> http://toldyouso.com/problememail.txt
<1> are you running a web server?
<7> yep
<7> lighty
<1> any chance a script could of been compromised?
<7> not that I can tell, and even if it was it wouldn't come to me.. afaict
<7> if it were script wise it's be php probably and woudln't use postfix or my uid
<7> it'd
<1> php mail() would talk to your sendmail binary
<1> and deliver the message locally, without using SMTP transport
<7> not as me
<1> yeah
<1> thats the odd thing
<7> as the nobody user lighty runs under
<1> your domain has an SPF record right ?
<7> dunno prolly not, but google let it thru
<1> so this happened about 8am ish
<1> any crontabs or scripts for that time ?
<7> yep, no
<7> more in the txt now, example of me sending email from mutt
<7> legit with user-agent etc
<1> I see
<7> 208.66.195.11 - - - [22/Jun/2006:08:32:07 -0700] "" 349 400 "-" "-"
<7> 208.66.195.11 - - - [22/Jun/2006:08:32:08 -0700] "" 349 400 "-" "-"
<7> 2
<7> odd but late
<7> 208.66.195.11 - - www.bellitaliaimports.com [22/Jun/2006:08:32:01 -0700] "GET /
<7> HTTP/1.1" 3666 200 "psycheclone" "-"
<1> alright so it was not sent by a legitmate mail client.. because they all have user-agents (xmailers etc)
<1> so the only option is maybe a script, executed locally under your uid
<7> i dont have such scripts laying around esp not with my gmail address in it
<1> see, if it was a spammer or hacker, they would of (presumably) spammed m***es
<1> how about grepping your web dir for mail addresses
<12> Robi: what mta?
<1> postfix
<7> http://discussion.dreamhost.com/showflat.pl?Cat=&Board=forum_troubleshooting&Number=48241&page=4&view=expanded&sb=1&o=93&part=
<7> seems that could be from a harvester bot
<1> let me check my servers
<1> 208.66.195.7 - - [22/Jun/2006:13:59:23 +0000] "GET /robots.txt HTTP/1.1" 404 2259 "-" "psycheclone"
<1> 208.66.195.7 - - [22/Jun/2006:13:59:24 +0000] "GET / HTTP/1.1" 200 13447 "-" "psycheclone"
<13> hackerz
<9> 1 0wnz j00
<7> ya so i checked the obvious places for signs of gmail.com emails and only my resume page has it
<7> but i show 0 access to it
<1> so your mta relays gmail to your domain and vise versa?
<1> s/vise/vice
<7> no
<1> ohhhhh
<1> my bad
<7> that's the freaky thing nowhere is my gmail addie grabbable like that cept the resume page
<1> and I'm ***uming the SPF-p*** indicates that there is a SPF record for your domain, so it's unlikely that it is spoofed.
<7> like i said my mta sent it
<1> indeed
<1> have you checked for signs of breakins?
<7> it even knew I was Robi <robi@...>
<1> utmp,wtmp records, .bash_histories, etc
<7> no extra users
<7> lastlog is fine
<7> history is mine
<7> not sure what else to look at
<1> try running chkrootkit or rkhunter
<1> for peace of mind that it wasn't a break in really
<7> gott ainstall it
<1> whats zmaj ?
<7> t
<7> host
<1> ahh
<7> means dragon
<7> chkrootkit found nada
<7> see postfix has an upgrade
<7> and why would my server want to install wpasupplicant
<7> heh
<14> Napta, so I removed sdb, rebooted with a broken RAID, shutdown the box and replaced sdb, rebuilt the RAID for / and /home, and e2fsck'd. e2fsck progressed a while and then got stuck.
<14> ssh no longer works, but squid does.
Return to
#debian
or
Go to some related
logs:
#linuxhelp
aloha lily
#politics
#freebsd
#linuxhelp
whynotjoplin.com
#worldcup
#qmail
linux lirc_hauppauge
#computers
|
|