Package: spamassassin
Version: 3.0.3-2sarge1
Severity: normal
Spamassassin opened a variety of UDP ports (46317 -> 46338) on a Debian
sarge mail server where it is invoked from a user .procmailrc as below.
| /usr/bin/spamassassin -P
The server has the latest updates applied.
The ports were then closed around four hours later. I guess that some
malicious email(s) hijacked the process(es) and opened these ports?
The process(es) were running as a user which gets a fair volume of spam
and ham.
The warning messages I received were from the Tiger automatic auditor.
On Sat, 12 Aug 2006 20:00:10 +0100 it reported the ports opened:
# Checking listening processes
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46317 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46318 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46320 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46321 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46322 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46323 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46324 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46325 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46326 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46327 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46328 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46329 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46330 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46332 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46333 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46334 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46335 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46337 (UDP on every interface) is run by aa.
NEW: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46338 (UDP on every interface) is run by aa.
Then on Sun, 13 Aug 2006 00:00:16 +0100 it reported the ports closed:
# Checking listening processes
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46317 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46318 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46320 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46321 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46322 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46323 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46324 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46325 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46326 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46327 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46328 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46329 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46330 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46332 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46333 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46334 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46335 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46337 (UDP on every interface) is run by aa.
OLD: --WARN-- [lin003w] The process `spamassassin' is listening on
socket 46338 (UDP on every interface) is run by aa.
Please let me know if I can supply any more information to help track
this problem down.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages spamassassin depends on:
ii debconf 1.4.30.13 Debian configuration management sy
ii libdigest-sha1-perl 2.10-1 NIST SHA-1 message digest algorith
ii libhtml-parser-perl
3.45-2 A collection of modules that parse
ii perl [libstorable-perl] 5.8.4-8sarge4 Larry Wall's Practical Extraction
ii spamc 3.0.3-2sarge1 Client for SpamAssassin spam filte
-- debconf information:
* spamassassin/upgrade/2.40:
spamassassin/upgrade/2.40w:
* spamassassin/upgrade/cancel: Continue
* spamassassin/upgrade/2.42m: No
spamassassin/upgrade/2.42u: No
- Bug#385579: spamassassin process opened a variety of UDP... [EMAIL PROTECTED]
- Bug#385579: spamassassin process opened a variety o... Duncan Findlay
- Bug#385579: spamassassin process opened a varie... [EMAIL PROTECTED]
- Bug#385579: spamassassin process opened a varie... Justin Mason