backupmng creates new postfix-queue

[GeraldV]

Starting today I have some trouble with some error 451 messages from postfix similar to these here. I have Plesk 9.3.0 and I don't find the segfaults in the logs thus I think it's something different.

However, in the process of troubleshooting I found something which I think is odd. Checking the postfix-queue executable in /usr/lib/plesk-9.0 I found this:

# ls -la postfix-queue*
-r-xr-x--- 1 mhandlers-user popuser 78278 Mar 18 15:52 postfix-queue
-r-xr-x--- 1 mhandlers-user root 64548 Dec 30 02:52 postfix-queue.backup-2010-03-18-1552

# file postfix-queue*
postfix-queue: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), for GNU/Linux 2.2.0, not stripped
postfix-queue.backup-2010-03-18-1552: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped

I have checked all logs and crontabs and the only thing running at 15:52 was backupmng. So it seems as if backupmng created a new executable postfix-queue??? Can that be? Does that make any sense?

Why would backupmng create a new postfix-queue?

And more important where would it get it from? It's an executable thus backupmng would have to run a compiler to create it...

Or is the server compromised?

Thanks, Gerald

 

[IgorG]

Not sure why you have this file but I have checked it on our test environment and found following:

# cat /usr/local/psa/version
9.3.0 CentOS 5 93091230.07

# cd /usr/lib/plesk-9.0
# ls -la postfix-queue*
-r-xr-x--- 1 mhandlers-user popuser 73076 Dec 30 07:11 postfix-queue

# rpm -qf postfix-queue
psa-mail-pc-driver-1.0.0-cos5.build93091230.07
# rpm -V psa-mail-pc-driver-1.0.0-cos5.build93091230.07
.M...... /var/spool/postfix/plesk

When I start backups of whole server it was not backuped.
Strange that these files have different size and permissions.

 

[GeraldV]

The original file is the one from the package:

# dpkg --contents /var/cache/apt/archives/psa-mail-pc-driver_1.0.0-ubuntu6.06.build93091230.07_i386.deb | grep postfix-queue
-r-xr-x--- mhandlers-user/root 64548 2009-12-30 02:52:21 ./usr/lib/plesk-9.0/postfix-queue

I have also check all other archive packages I have found on the server. All have different sizes. All have group root and not popuser like the backuped one.

I have put back the original for the moment. Still it's very strange. The newer file is not stripped. Looks to me as if it did not go through the standard packaging. I have no other files with "*.backup-".

For a test, I have stripped the newer file, run "strings -a" on the original and the new, stripped and compared both. Found only 10 different bytes. If it's doing something different then it's not telling.

Is there a way to find out if the newer file is a legimite file or not? Any packages database for plesk to search? Any md5 hash database of official files?

 

[GeraldV]

O.K. I found it. After some more digging and searching for files/directories change on the date of the new postfix-queue I found an empty directory which indicated that it was the hoster of my VPS (HostEurope) which installed the new version. My server was not hacked.

Funny enough, they have installed the patched version because it is supposed to fix an issue with postfix-queue in Plesk 9.3.0 which causes 451 errors with several customers. Now on my VPS it seemed to have the opposite effect...