Bob Proulx wrote:
> If the web server logs said it was 404 then that is an HTTP 404 return
> code and not an SMTP 404 return code since it is in the web server
> logs not the smtp server logs
I know that. (Sorry that I accidentally said they were SMTP response
codes, I do know better, they w
Rich Wales wrote:
> I did find some generally suspicious things in my web server logs --
> including lots of clients looking for the following item:
>
> /nette.micro?callback=shell_exec&cmd=ifconfig
>
> but there isn't any /nette.micro anywhere on my server, and all these
> GET requests f
> I would suggest that you fix the exploited script. Look for time
> stamps that appear in both web server logging and Postfix logging.
Thanks, Wietse. That would obviously be the best approach, if it
worked, but I tried it and (so far at least) haven't been able to find
any matching entries.
Rock solid solution is to separate htdocs (a folder that is accessible via
web) from the code folder (the one with scripts).
I do not know how that could be done with PHP (I believe you can serve
static files with nginx and run php as FPM connected to the nginx with
FastCGI) but in Python world we
Dnia 19.10.2020 o godz. 18:26:28 Demi M. Obenour pisze:
> Can this be mitigated by denying the PHP user write permission on
> any directory where PHP files will be executed?
There are multiple methods to mitigate this, this may be one of them.
But unsecured scripts that allow such behaviour are s
On 10/19/20 3:29 PM, Jaroslaw Rafa wrote:
> Dnia 19.10.2020 o godz. 21:12:20 John Fawcett pisze:
>> Sorry not to be able to give a definitive answer. Typical mail injection
>> via php will use a script that already calls the php mail function or
>> similar functions that open the smtp connection. B
@lbutlr wrote:
> Bob Proulx wrote:
> > Since 199.5.50.180 does not appear in the allowance for the SPF
> > records that I can see
>
> dig -x 199.5.50.180 +short
> br2.vw.com.
>
> VW does own Audi, so... mystery deepens?
That's simply the reverse DNS PTR record. Anyone can set their own
PTR rec
> On Oct 19, 2020, at 7:19 PM, @lbutlr wrote:
>
> dig -x 199.5.50.180 +short
> br2.vw.com.
>
> VW does own Audi, so… mystery deepens?
Anyone can spoof PTR records, but in this case the address really
does appear to be VW:
NetRange: 199.5.32.0 - 199.5.63.255
CIDR: 199.5.32.0/19
On 19 Oct 2020, at 13:13, Bob Proulx wrote:
> Since 199.5.50.180 does not appear in the allowance for the SPF
> records that I can see
dig -x 199.5.50.180 +short
br2.vw.com.
VW does own Audi, so… mystery deepens?
--
'They're the cream!' Rincewind sighed. 'Cohen, they're the cheese.'
Rich Wales:
> This question is kind-of related to my recent open relay problem, which
> at the moment seems most likely caused by a hacker invading my mail
> server (possibly through a web service running on the same box) and
> injecting fraudulent messages into my server directly via the localhost
Bob Proulx wrote:
> The default PHP "mail()" method sends mail by using the system's
> /usr/sbin/sendmail interface rather than SMTP.
>
> https://www.php.net/manual/en/mail.requirements.php
> https://www.php.net/manual/en/function.mail.php
Oh! It depends upon the system's php.ini configur
If someone hacked your PHP script, he or she may add any code to it,
including code that connects to your smtpd and sends email.
In PHP one can use mail() function (which can use TCP connection to the
localhost:25 according to the settings in php.ini) or establish connection
directly.
As we can se
This question is kind-of related to my recent open relay problem, which
at the moment seems most likely caused by a hacker invading my mail
server (possibly through a web service running on the same box) and
injecting fraudulent messages into my server directly via the localhost
interface.
Postfix
Rich Wales wrote:
> If the problem were in fact due to a hijacked PHP page, btw, would this
> necessarily require the page to be using e-mail or TCP connections
> already for its own legitimate purposes, but being co-opted by a hacker
> to nefarious ends? Or could *any* PHP script theoretically be
Dnia 19.10.2020 o godz. 21:12:20 John Fawcett pisze:
> Sorry not to be able to give a definitive answer. Typical mail injection
> via php will use a script that already calls the php mail function or
> similar functions that open the smtp connection. But there are other
> attack vectors that are po
Joey J wrote:
> I'm trying to understand why this is telling me host not found.
> On that same server if I nslookup the ip it does resolve.
>
> Oct 18 16:00:51 mgw postfix/smtpd[24119]: NOQUEUE: reject: RCPT from
> unknown[199.5.50.180]: 450 4.7.1 : Helo command rejected: Host
> not found; from= t
On 19/10/2020 20:50, Rich Wales wrote:
> John Fawcett wrote:
>
>> One thing I would suggest looking at is if there is a web server running
>> on the same host it may be allowing email to be injected into postfix
>> via smtp on the loopback interface using some scripting language like
>> php or othe
John Fawcett wrote:
> One thing I would suggest looking at is if there is a web server running
> on the same host it may be allowing email to be injected into postfix
> via smtp on the loopback interface using some scripting language like
> php or others.
I suppose that's possible.
I spent some
18 matches
Mail list logo
