View Issue Details

IDProjectCategoryView StatusLast Update
0000752websitesecurity-placeholderpublic2005-02-23 16:10
Reporterherrold 
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionno change required 
PlatformOtherOSotherOS Version
Product Versionunspecified 
Target VersionFixed in Version 
Summary0000752: Open Relay or cross site hold on caosa
Descriptionplaceholder
TagsNo tags attached.

Activities

herrold

herrold

2005-01-14 14:47

reporter   ~0002275

Last edited: 1970-01-01 00:00

Open Relay or cross site hold on caosa

I have received a piece which originated on caosa to security@caosity with an
attached birus or worm

This implies a hole in some web package is being exploited

-----------------------------------
[note forged date - true entry time was: Fri, 14 Jan 2005 04:12:31 -0500]

Date: Sat, 4 Dec 2004 14:41:58 +0530
From: forum@linuxquestions.org
To: security@centos.org
Subject: a cAos SECURITY] Re: important document_all
Parts/Attachments:
   1 Shown 2 lines Text (charset: Windows-1252)
   2 33 KB Application
----------------------------------------

    [ The following text is in the "Windows-1252" character set. ]
    [ Your display is set for the "ISO-8859-1" character set. ]
    [ Some characters may be displayed incorrectly. ]

Please read the attached file!


    [ Part 2, Application/OCTET-STREAM (Name: "document.pif") 44KB. ]
    [ Cannot display this part. Press "V" then "S" to save in a file. ]

----------------------------------------------------------
and headers are:
eturn-Path: <forum@linuxquestions.org>
Received: from mail.caosity.org (mail.caosity.org [69.93.111.165])
    by swampfox.owlriver.com (8.12.11/8.12.8) with ESMTP id j0E9CVZh010592
    for <herrold@owlriver.com>; Fri, 14 Jan 2005 04:12:31 -0500
Received: by mail.caosity.org (Postfix)
    id CAD22B300EB; (UTC)
Delivered-To: orc@caosity.org
Received: from centos.org (unknown [203.109.93.199])
    by mail.caosity.org (Postfix) with ESMTP id A8ACFB300A4
    for <security@centos.org>; Fri, 14 Jan 2005 09:12:20 +0000 (UTC)
From: forum@linuxquestions.org
To: security@centos.org
Date: Sat, 4 Dec 2004 14:41:58 +0530
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20050114091220.A8ACFB300A4@mail.caosity.org>X-Envelope-To:
security@centos.org
X-Munge: added X-Envelope-To
X-Orig-Subject: Re: important document_all
X-Loop: herrold@owlriver.com
X-brand: caosity
X-Highlight: friend
Subject: a cAos SECURITY] Re: important document_all
X-Known: yes
X-ORC: antiloop
Parts/Attachments:
   1 Shown 2 lines Text (charset: Windows-1252)
   2 33 KB Application
----------------------------------------

    [ The following text is in the "Windows-1252" character set. ]
    [ Your display is set for the "ISO-8859-1" character set. ]
    [ Some characters may be displayed incorrectly. ]

--------------------------------

Everything below the Message-Id I add with procmail




herrold

herrold

2005-01-14 14:49

reporter   ~0002276

Last edited: 1970-01-01 00:00

add donavan@4wx.net -- it is either my, datadevil's or donavan's code which is
the likely suspect.

- R

user13

2005-01-14 14:58

  ~0002277

Last edited: 1970-01-01 00:00

not really seeing how its from caosa, but if it is, then I think its not my
code, mine runs on caosc...

user7

2005-01-14 15:14

  ~0002278

Last edited: 1970-01-01 00:00

Looks like a normal spoof to me:

   Received: from centos.org (unknown [203.109.93.199])
       by mail.caosity.org (Postfix) with ESMTP id A8ACFB300A4
       for <security@centos.org>; Fri, 14 Jan 2005 09:12:20 +0000 (UTC)

user13

2005-01-14 15:42

  ~0002279

Last edited: 1970-01-01 00:00

grin..then i wasn't misunderstanding the headers..
herrold

herrold

2005-02-23 16:10

reporter   ~0002280

Last edited: 1970-01-01 00:00

I was wrong - sorry

Issue History

Date Modified Username Field Change
2005-01-14 14:47 herrold CC => m.stolte@datadevil.demon.nl
2005-01-14 14:47 herrold QAContact greg@caosity.org => herrold@owlriver.com
2005-01-14 14:47 herrold Summary placeholder => Open Relay or cross site hold on caosa
2005-01-14 14:49 herrold CC => donavan@4wx.net
2005-01-14 15:14 user7 CC => mej@caosity.org
2005-02-23 16:10 herrold Status NEW => RESOLVED
2005-02-23 16:10 herrold Resolution => INVALID