Security Incidents mailing list archives
Re: Strange ETRN attempts
From: Mike Apted <mikea () WEBHOSTING COM>
Date: Thu, 27 Jul 2000 11:25:39 -0500
See BugTraq ID 904... It is a denial of service attack, possibly resulting in reboot. 8.9.1 and 8.9.3 are vulnerable. I have successfully rebooted BSD boxes remotely (3.x), but could only drive up the load on the Linux and Sun boxes I tested. [Mike Apted (mikea () webhosting com) ] [VP, Technical Services, Webhosting.Com Inc. - (416) 260-5411 ] [-] The meaningless absurdity of life is the only incontestable knowledge accessible to man. -- Leo Tolstoy [-] On Wed, 26 Jul 2000, Nicolas Gregoire wrote:
Hi, Here's what appeared in my logs last night (adresses and names sanitized) : Jul 25 19:08:36 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaim.de Jul 25 19:08:37 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaim.net Jul 25 19:08:37 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaim-euro.net Jul 25 19:08:39 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaim-int.net Jul 25 19:08:39 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @AcclaimStudios.co.uk Jul 25 19:08:40 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaimstudios.com Jul 25 19:08:40 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaimstudios.net Jul 25 19:08:41 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN attack? Jul 25 19:08:42 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaimworld.com Jul 25 19:08:44 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @acclaimworld.net Jul 25 19:08:47 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @aklm.co.uk Jul 25 19:08:49 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @aklm.com Jul 25 19:08:51 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @aklm.net Jul 25 19:08:53 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @as-cheltenham.com Jul 25 19:09:04 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @as-cheltenham.exchange Jul 25 19:09:17 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @as-london.exchange Jul 25 19:09:43 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @australia.exchange Jul 25 19:09:46 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @iguana.slc.com Jul 25 19:09:48 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @iguana-uk.com Jul 25 19:09:50 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @iguana-us.com Jul 25 19:09:52 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @london.exchange Jul 25 19:09:59 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @madrid.exchange Jul 25 19:10:01 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @munich.exchange Jul 25 19:10:03 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @paris.exchange Jul 25 19:10:06 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @probe.co.uk Jul 25 19:10:10 yonopido sendmail[31713]: NOQUEUE: mail.offending_domain.com [The_IP]: ETRN @sculptured.com I know that there is some security problems with the SMTP ETRN command, but I don't know which one. Does anybody have any information or links on the ETRN command ? Has anybody ever seen that ?
Current thread:
- Strange ETRN attempts Nicolas Gregoire (Jul 26)
- Re: Strange ETRN attempts Mike Apted (Jul 27)
- <Possible follow-ups>
- Re: Strange ETRN attempts Lea, Michael (Jul 27)