Security Incidents mailing list archives
Re: Maillog Suspicious
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Tue, 11 Jan 2000 22:32:45 -0500
On Wed, 12 Jan 2000, flirtingboy20 wrote:
Can anyone tell me exactly what this all mean?
looks like someone is trying to enumerate your accounts via Sendmail. the EXPN and VRFY (expand and verify, respectively) help people find and abuse known accounts and holes. one shining example is the majordomo probing. given that majordomo has a hole pointed out recently (for local shell escalation, see BUGTRAQ vulnerability id 903).
O yeah and another thing, which files to I check to look for port probing?
depends on what you log and where. i run port scan detection daemons which log to syslog, and i also do TCP accounting (yes, very large but handy logs), also in the syslog. also check the logs used specifically by various services (ie xferlog, maillog, httpd logs). jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- New vulnerability (fwd), (continued)
- New vulnerability (fwd) Alfred Huger (Jan 13)
- An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
- Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
- Maillog Suspicious flirtingboy20 (Jan 11)
- Re: Maillog Suspicious David A. Bandel (Jan 11)
- Re: Maillog Suspicious James Phillips (Jan 11)
- Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
- Attempted port scans. Steve (Jan 11)
- Re: Maillog Suspicious Khetan Gajjar (Jan 11)
- Text file monitor? Luther Trammel (Jan 12)
- Re: Text file monitor? James A Kennemore Jr (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Port 4 Daniel Jacobowitz (Jan 11)