Re: [courier-users] spammer masquerading as root

Tue, 16 Jun 2015 15:51:07 -0700 

Gordon,

Not an offending one.  But the debug log is neither extensive nor surprising.

I have a little python attempting a root login with empty password:


import smtplib

hostname = 'mail.balclutha.org'

print "constructing SMTP..."
server = smtplib.SMTP(hostname)

print "setting debug level..."
server.set_debuglevel(1)

print "starting tls..."
server.starttls()

print "attempting login..."
server.login('root', '')


Jun 16 18:34:07 gimp authdaemond: received auth request, service=esmtp, 
authtype=login
Jun 16 18:34:07 gimp authdaemond: authpam: trying this module
Jun 16 18:34:07 gimp authdaemond: incomplete username or missing password
Jun 16 18:34:07 gimp authdaemond: authpam: REJECT - try next module
Jun 16 18:34:07 gimp authdaemond: authldap: trying this module
Jun 16 18:34:07 gimp authdaemond: incomplete authentication data
Jun 16 18:34:07 gimp authdaemond: authldap: REJECT - try next module
Jun 16 18:34:07 gimp authdaemond: FAIL, all modules rejected


This empty password would appear to have *always* been an impossible vector of 
attack - I don't even think it's bothering to call any underlying PAM modules.  
If I attempt with a crapulous password (and given there's none set - what else 
could it be...):

Jun 16 18:42:36 gimp authdaemond: authpam: trying this module
Jun 16 18:42:36 gimp authdaemond: authpam: sysusername=root, sysuserid=<null>, 
sysgroupid=0, homedir=/root, address=root, fullname=root, maildir=<null>, 
quota=<null>, options=<null>
Jun 16 18:42:36 gimp authdaemond: pam_service=esmtp, pam_username=root
Jun 16 18:42:39 gimp authdaemond: pam_authenticate failed, result 7
Jun 16 18:42:39 gimp authdaemond: authpam: REJECT - try next module
Jun 16 18:42:39 gimp authdaemond: authldap: trying this module
Jun 16 18:42:39 gimp authdaemond: using search filter: (mail=root)
Jun 16 18:42:39 gimp authdaemond: number of entries returned: 0 (but we need 
exactly 1)
Jun 16 18:42:39 gimp authdaemond: authldap: REJECT - try next module
Jun 16 18:42:39 gimp authdaemond: FAIL, all modules rejected
Jun 16 18:42:39 gimp courieresmtpd: error,relay=::ffff:121.44.92.142,msg="535 
Authentication failed.",cmd: AUTH PLAIN AHJvb3QAYmxhYmxh root


I'm quite perplexed to understand how root could possibly inject mail messages 
from an external IP.

Alan

                                          
------------------------------------------------------------------------------

_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to