Thread: Idle fun for net hackers..
View Single Post
  #30   Report Post  
Posted to uk.d-i-y
dennis@home[_3_] dennis@home[_3_] is offline
external usenet poster
  
Posts: 1,357
Default Idle fun for net hackers..


"The Natural Philosopher" wrote in message
...
David WE Roberts wrote:

"The Natural Philosopher" wrote in message
...
snip

so

#telnet www.drabcdfirstaid.com.au 25
Trying 64.251.30.196...
Connected to drabcdfirstaid.com.au.
Escape character is '^]'.
220 spxxxx.int.infolink.com ESMTP Postfix (Ubuntu)

tells me its a ubuntu machine running postfix mail. Now I know that if I
carry on with this telnet into the SMTP port, its very likely that
root@localhost will be accepted as a direct recipient into the root
users mailbox.

So I sent one. And it was.
snip

This tells me that you aren't in the habit of typing in SMTP at the
keyboard, or you could have confirmed the acceptance of the
'root@localhost' address whilst connected to the server via Telnet.

I am and I did.


Then again, I'd have to refresh my memory of the RFCs before attempting
it now :-)

Ah - rereading it may well be that you did as I suggested instead of
sending a seperate email.


Yup.


For those wondering if it was a mail address, a web server, whatever, a
standard server install of Ubuntu can give you the whole nine yards in
one go.
Posibly the person who set up the system was focussed on installing the
web server and hadn't realised he/she/it had also set up a working mail
server by default.
Then again all the incoming mail may be redirected to '/dev/null'.


Not usually. You want system error messages - usually from 'root' to
'root' to go somewhere.

That means you need at least a working smtp daemon that can accept mail
from local processes.


Now the choice you make is normally whether or not that should accept smtp
on its Ethernet (as opposed to loopback) interface. NORMALLY for a
personal machine you would not..BUT this machine is on a fixed IP address
on the internet. It probably is NOT at a domestic address.

Its running an internet web server.

have a look - http://www.drabcdfirstaid.com.au/ - there is no real web
site on that address. Only in the hidden directory '/.images/'

It looks like it has in fact either been compromised or its been put there
to LOOK as though its been compromised.

It is a vanilla ubuntu machine.

Possibly the twit didn't set his firewall up quick enough and someone
hacked in somehow.

Possibly he did it himself.

I know than in the 12 hours or so my virtual server was online before I
got it firewalled there were repeated attempts to guess login from many
sites all over the world. But none succeeded because it had no login
capability as first configured, beyond ssh.

But of course even if a machine receives an email it doesn't mean that a
user ever runs an email program to read it.

He may find out there is a message or two if he runs out of disk space and
he knows how to look in the first place.
Of course its very easy to setup a web server/mail server on ubuntu, there
are plenty of guides on how.
Almost anyone can do it, even someone who doesn't notice the mistakes he may
make and leave his machine vulnerable.
Even experts left their ubuntu machines vulnerable for the best part of year
~2010 due to a bug being reintroduced about 3 months after it had been
fixed. Some may still be compromised as the fix fixed the initial problem
but did nothing about anything that had been done to a compromised machine.

Reply With QuoteReply With Quote