Re: Strange ETRN attempts

[Mike Apted <mikea () WEBHOSTING COM>]

See BugTraq ID 904...

It is a denial of service attack, possibly resulting in reboot.

8.9.1 and 8.9.3 are vulnerable.  I have successfully rebooted BSD boxes remotely (3.x), but could only drive up the 
load on the Linux and Sun boxes I tested.

[Mike Apted (mikea () webhosting com)                                ]
[VP, Technical Services, Webhosting.Com Inc. - (416) 260-5411     ]
[-] The meaningless absurdity of life is the only incontestable
 knowledge accessible to man. -- Leo Tolstoy                    [-]

On Wed, 26 Jul 2000, Nicolas Gregoire wrote:

> Hi,
>
> Here's what appeared in my logs last night (adresses and names
> sanitized) :
>
> Jul 25 19:08:36 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaim.de
> Jul 25 19:08:37 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaim.net
> Jul 25 19:08:37 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaim-euro.net
> Jul 25 19:08:39 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaim-int.net
> Jul 25 19:08:39 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @AcclaimStudios.co.uk
> Jul 25 19:08:40 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaimstudios.com
> Jul 25 19:08:40 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaimstudios.net
> Jul 25 19:08:41 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN attack?
> Jul 25 19:08:42 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaimworld.com
> Jul 25 19:08:44 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @acclaimworld.net
> Jul 25 19:08:47 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @aklm.co.uk
> Jul 25 19:08:49 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @aklm.com
> Jul 25 19:08:51 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @aklm.net
> Jul 25 19:08:53 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @as-cheltenham.com
> Jul 25 19:09:04 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @as-cheltenham.exchange
> Jul 25 19:09:17 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @as-london.exchange
> Jul 25 19:09:43 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @australia.exchange
> Jul 25 19:09:46 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @iguana.slc.com
> Jul 25 19:09:48 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @iguana-uk.com
> Jul 25 19:09:50 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @iguana-us.com
> Jul 25 19:09:52 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @london.exchange
> Jul 25 19:09:59 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @madrid.exchange
> Jul 25 19:10:01 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @munich.exchange
> Jul 25 19:10:03 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @paris.exchange
> Jul 25 19:10:06 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @probe.co.uk
> Jul 25 19:10:10 yonopido sendmail[31713]: NOQUEUE:
> mail.offending_domain.com [The_IP]: ETRN @sculptured.com
>
> I know that there is some security problems with the SMTP ETRN command,
> but I don't know which one.
>
> Does anybody have any information or links on the ETRN command ?
> Has anybody ever seen that ?