Great Circle Associates Majordomo-Users
(February 2006)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: MajorDomo Resetting User
From: Bob Cohen <bcohen @ bpecreative . com>
Date: Fri, 24 Feb 2006 17:03:31 -0500
To: Daniel Liston <dliston @ sonny . org>
Cc: Majordomo-Users @ greatcircle . com
In-reply-to: <43FF5E53.5030702@sonny.org>
References: <200602152142.k1FLg9DO000600@mail.emacolet.com> <076201c63279$64c71c80$6401a8c0@xp> <43F3F40C.6060804@queernet.org> <43F5E154.5040302@bpecreative.com> <43FF56B1.3030308@sonny.org> <43FF5D00.4090300@bpecreative.com> <43FF5E53.5030702@sonny.org>
User-agent: Mozilla Thunderbird 0.8 (Macintosh/20040913)


>
> majordomo-owner.  Your logwatch entry shows this happened twice in what
> I assume to be a 24 hour period.  You might want to check your majordomo
> Log file and your sendmail log to verify.  Using the steps I suggested
> previously, you will get rid of the errors in the logwatch report, but
> that does not give you the warm fuzzy feeling that everything is really
> OK. 

So here's what my majordomo log looks like:

Feb 13 07:53:23 narsil.nbtanet.org majordomo[3945] {morton@dcemail.com} help
Feb 13 07:53:54 narsil.nbtanet.org majordomo[3956] {shawnm@surfy.net} help
Feb 16 17:13:45 narsil.nbtanet.org majordomo[32078] {"PayPal? 
Inc."<service@payp
al.com>} help
Feb 16 22:29:47 narsil.nbtanet.org majordomo[10179] 
{"accounting@nbtanet.org" <a
ccounting@nbtanet.org>} help
Feb 17 15:30:21 narsil.nbtanet.org majordomo[11363] 
{"accounting@nbtanet.org" <a
ccounting@nbtanet.org>} help
Feb 17 15:33:03 narsil.nbtanet.org majordomo[11403] 
{"accounting@nbta.net" <acco
unting@nbta.net>} help
log.1 (END)


Does that mean someone is exploiting a majordomo vulnerability?  Because 
to me this looks like somethings are getting sent via majordomo.

Likewise I found this entry in my most recent maillog:

Feb 24 10:29:18 narsil sendmail[2918]: k1OFTCE02917: 
to="|/usr/lib/majordomo/wrapper majordomo", ctladdr=<majordomo@nb
tanet.org> (8/0), delay=00:00:04, xdelay=00:00:00, mailer=prog, 
pri=65731, dsn=2.0.0, stat=Sent

I'm not a sendmail guru and am therefore unsure how to interepret the 
maillog entry.  But it looks like a message was sent to 
"majordomo@nbtanet.org"

Or this:

Feb 24 10:29:53 narsil sendmail[2934]: k1OFTrt02934: 
from=Majordomo-Owner@narsil.nbtanet.org, size=18620, class=0, nrc
pts=1, msgid=<200602241529.k1OFTrt02934@narsil.nbtanet.org>, 
relay=majordomo@localhost

The one above looks like a message was sent somwhere from 
Majordomo-Owner@.  Am I getting abused by someone?

Bob


Follow-Ups:
References:
Indexed By Date Previous: Re: Issue with "on behalf of" with outlook
From: "Roger B.A. Klorese" <rogerk@queernet.org>
Next: MD, VERP and sendmail
From: "Peter P. Benac" <ppbenac@emacolet.com>
Indexed By Thread Previous: Re: MajorDomo Resetting User
From: Daniel Liston <dliston@sonny.org>
Next: Re: MajorDomo Resetting User
From: Daniel Liston <dliston@sonny.org>

Google
 
Search Internet Search www.greatcircle.com