[Sysadmin] suspicious changes to theList's mailman config?
Dean Mah
dean.mah at gmail.com
Mon Apr 9 13:50:37 CDT 2007
In looking at the log files, I see:
195.188.152.10 - - [08/Apr/2007:16:43:20 -0500] "GET /robots.txt
HTTP/1.1" 200 141 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET / HTTP/1.1" 200
11991 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.2; .NET CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET /lists.css
HTTP/1.1" 200 7592 "http://lists.evolt.org/" "Mozilla/4.0 (compatible;
MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET
/images/spacer.gif HTTP/1.1" 200 49 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET
/images/tab_cap.gif HTTP/1.1" 200 280 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET
/images/tab_logo.gif HTTP/1.1" 200 1788 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET
/images/tab_home.gif HTTP/1.1" 200 476 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET
/images/tab_help.gif HTTP/1.1" 200 370 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:39 -0500] "GET
/images/tab_contact.gif HTTP/1.1" 200 423 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:40 -0500] "GET
/images/spacer.gif HTTP/1.1" 200 49 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:40 -0500] "GET /favicon.ico
HTTP/1.1" 404 289 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT
5.1; InfoPath.2; .NET CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:42 -0500] "GET
/mailman/listinfo/thelist HTTP/1.1" 200 6612 "http://lists.evolt.org/"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET
CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:42 -0500] "GET
/icons/mailman.jpg HTTP/1.1" 200 2022
"http://lists.evolt.org/mailman/listinfo/thelist" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:42 -0500] "GET
/icons/gnu-head-tiny.jpg HTTP/1.1" 200 3049
"http://lists.evolt.org/mailman/listinfo/thelist" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:42 -0500] "GET
/icons/PythonPowered.png HTTP/1.1" 200 945
"http://lists.evolt.org/mailman/listinfo/thelist" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:48 -0500] "GET
/mailman/listinfo/thelist HTTP/1.1" 200 6612
"http://lists.evolt.org/mailman/listinfo/thelist" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:51:57 -0500] "GET
/mailman/admin/thelist HTTP/1.1" 200 2106
"http://lists.evolt.org/mailman/listinfo/thelist" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:52:03 -0500] "POST
/mailman/admin/thelist HTTP/1.1" 200 21212
"http://lists.evolt.org/mailman/admin/thelist" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:52:03 -0500] "GET
/icons/mm-icon.png HTTP/1.1" 200 281 "-" "Mozilla/4.0 (compatible;
MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:53:29 -0500] "POST
/mailman/admin/thelist/general HTTP/1.1" 200 21398
"http://lists.evolt.org/mailman/admin/thelist" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:54:30 -0500] "POST
/mailman/admin/thelist/general HTTP/1.1" 200 20911
"http://lists.evolt.org/mailman/admin/thelist/general" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:54:45 -0500] "POST
/mailman/admin/thelist/general HTTP/1.1" 200 20913
"http://lists.evolt.org/mailman/admin/thelist/general" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
195.188.152.10 - - [08/Apr/2007:20:55:01 -0500] "POST
/mailman/admin/thelist/general HTTP/1.1" 200 20915
"http://lists.evolt.org/mailman/admin/thelist/general" "Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR
3.0.04506.30)"
tempest:/var/log/apache/host/A# nslookup 195.188.152.10
Server: 12.96.160.115
Address: 12.96.160.115#53
Non-authoritative answer:
10.152.188.195.in-addr.arpa name = webcache.blueyonder.co.uk.
Authoritative answers can be found from:
152.188.195.in-addr.arpa nameserver = ns2.cableinet.co.uk.
152.188.195.in-addr.arpa nameserver = ns3.cableinet.co.uk.
152.188.195.in-addr.arpa nameserver = ns.cableinet.net.
ns2.cableinet.co.uk internet address = 194.117.157.4
ns.cableinet.net internet address = 193.38.113.3
ns3.cableinet.co.uk internet address = 194.117.152.85
Anyone here have that IP address?
Dean
On 4/9/07, Matt Warden <mwarden at gmail.com> wrote:
> If you notice, a number of emails have come through thelist without
> the [thelist] part prepended to the subject. See:
>
> http://lists.evolt.org/archive/Week-of-Mon-20070409/thread.html
>
> As you pointed out, the emails are being fwd'd by thelistj@ rather
> than thelist@
>
> Definitely something odd going on...
>
> On 4/9/07, David Kaufman <david.kaufman at gmail.com> wrote:
> > 1. I received the attached bounce at 10pm last night EST (and no mail
> > from theList since a few hours before that).
> >
> > 2. http://lists.evolt.org/mailman/listinfo/thelist reports that the list
> > address is thelist at lists0.evolt.org (lists0 being a nonexistent
> > hostname, of course) not thelist at lists.evolt.org and
> >
> > 3. The list name itself is also reported on that page as:
> >
> > thelist -- thelistj at lists.evolt.org
> >
> > Anybody know what's up?? I can fix the list name and list address but
> > wanted to ask if anyone else was working on this first...
> >
> > -dave
More information about the Sysadmin
mailing list