[BlueOnyx:08507] 5106R Majordomo vulnerability?

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Mon Sep 19 09:16:49 -05 2011 

A customer server showed up on the UCEPROTECT list overnight, and it 
looks like Majordomo played a role.  UCEPROTECT gives a timestamp of the 
message that causes a listing, so that makes it pretty easy to look up 
in the logs.

A quick scan of the maillog shows the only thing going on at the time 
was an apparent submission to a mailing list from an external email 
address.  The really curious thing is that no mailing lists are enabled 
for the domain!   Not only that, but there is no MX record for the 
domain.   There are also no users.

That tells me that anything sent to the domain should immediately have 
been rejected, right?  But instead the box accepted some piece of email 
that bounced to a backscatter trap.

A clip from the maillog is below if you'd like to have a look.  I've 
obfuscated the customer's domain, but you'll get the idea.


Sep 18 09:52:29 gwen sendmail[28626]: p8IEqQVW028626: 
from=<gmtatdbyi at allatoonapassbattlefield.org>, size=556, class=0, 
nrcpts=1, 
msgid=<V04v6woj2C1y63XLXLXS3hhdX4Sm33BOvO2POiTbAdfDPgmtatdbyi at allatoonapassbattlefield.org>, 
proto=ESMTP, daemon=MTA, relay=84.subnet110-139-208.speedy.telkom.net.id 
[110.139.208.84] (may be forged)

Sep 18 09:52:29 gwen sendmail[28636]: p8IEqTse028636: 
Authentication-Warning: gwen.domain.com: mail set sender to 
Majordomo-Owner at www.domainobfuscated.com using -f

Sep 18 09:52:29 gwen sendmail[28636]: p8IEqTse028636: 
from=Majordomo-Owner at www.domainobfuscated.com, size=9653, class=0, 
nrcpts=1, msgid=<201109181452.p8IEqTse028636 at gwen.domain.com>, 
relay=mail at localhost

Sep 18 09:52:29 gwen sendmail[28639]: STARTTLS=server, relay=localhost 
[127.0.0.1], version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, 
bits=256/256

Sep 18 09:52:29 gwen sendmail[28636]: STARTTLS=client, 
relay=[127.0.0.1], version=TLSv1/SSLv3, verify=FAIL, 
cipher=DHE-RSA-AES256-SHA, bits=256/256

Sep 18 09:52:29 gwen sendmail[28639]: p8IEqT4W028639: 
from=<Majordomo-Owner at www.domainobfuscated.com>, size=10005, class=0, 
nrcpts=1, msgid=<201109181452.p8IEqTse028636 at gwen.domain.com>, 
proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]

Sep 18 09:52:29 gwen sendmail[28636]: p8IEqTse028636: 
to=gmtatdbyi at allatoonapassbattlefield.org, 
ctladdr=Majordomo-Owner at www.domainobfuscated.com (8/12), delay=00:00:00, 
xdelay=00:00:00, mailer=relay, pri=39653, relay=[127.0.0.1] [127.0.0.1], 
dsn=2.0.0, stat=Sent (p8IEqT4W028639 Message accepted for delivery)

Sep 18 09:52:29 gwen sendmail[28633]: p8IEqQVW028626: 
to="|/usr/local/majordomo/wrapper majordomo -C 
/usr/local/majordomo/sites/site19/majordomo.cf", 
ctladdr=<majordomo at domainobfuscated.com> (8/0), delay=00:00:02, 
xdelay=00:00:00, mailer=prog, pri=30843, dsn=2.0.0, stat=Sent

Sep 18 09:52:33 gwen sendmail[28641]: p8IEqT4W028639: 
to=<gmtatdbyi at allatoonapassbattlefield.org>, delay=00:00:04, 
xdelay=00:00:04, mailer=esmtp, pri=130005, 
relay=backscatter.allato...ssbattlefield.org. [65.60.35.76], dsn=5.1.1, 
stat=User unknown

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list