Re: Attacks on port 25

[rhino007_us () YAHOO COM (Rhino Bond)]

One does recall that running UNIX Sendmail in DEBUG
mode is quite dangerous, and the point of attack in
various flavors of UNIX historically.  Just be sure
you are not running sendmail in DEBUG mode.

--- Bill Lavalette <operations () NDRSNET COM> wrote:
> I have been getting that too...
>
> our IDS system sees it as this
>
> 'Email_Debug' event detected by the RealSecure
> engine at 'freakory'.
> Details:
>       Source Address: 207.126.127.68
>       Source Port: 55058
>       Source MAC Address: 00:20:6F:05:2D:BE
>       Destination Address: 216.200.165.211
>       Destination Port: E-mail (25)
>       Destination MAC Address: 00:10:5A:22:1D:B0
>       Time: Friday, May 19, 2000 01:27:24
>       Protocol: TCP (6)
>       Priority: high
>       Actions mask: 0x245
>  I have about a 150 of these such alerts
>
> any clue what is going on?
>
> Regards
>
> Bill
>
> Bill Lavalette
> Security/Systems Admin ndrs.com
> Dallas Texas NOC
> http://www.ndrs.com
> PH:817.652.3882
> Email: Operations () ndrsnet com
>
> -----Original Message-----
> From: Incidents Mailing List
> [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Ryan Russell
> Sent: Friday, May 26, 2000 4:28 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: Attacks on port 25
>
>
> On Fri, 26 May 2000, Vincent Lim wrote:
>
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=
> > May 26 11:01:27 pop3 portsentry[358]: attackalert:
> SYN/Normal scan from
> > host:
> > f139.law8.hotmail.com/216.33.241.139 to TCP port:
> 25
>
> Well, basiclly it's indicating that you're getting
> connections to port
> 25.  This would indicate people probing for mail
> servers.  This might be
> considered hostile *IF* you're not running a mail
> server.  I suspect
> you're running a mail server on that port, and other
> mail servers are just
> trying to send you mail.  By alerting on and
> blocking these machines,
> you're cutting your mail access off.
>
> > May 26 11:28:21 pop3 portsentry[358]: attackalert:
> SYN/Normal scan from
> > host:
> > lists.securityfocus.com/207.126.127.68 to TCP
> port: 25
> > May 26 11:28:21 pop3 portsentry[358]: attackalert:
> Host:
> > lists.securityfocus.com/207.126.127.68 is already
> blocked Ignoring
> > As you can see... list.securityfocus.com is among
> the attackers.
> > What could this mean?
>
> It means you're subscribed to one of our lists...
> and you're probably not
> going to get this reply. :)
>
> I can say pretty confidently that we're not
> attacking you in any way.  I
> think you're just monitoring for acticivty which
> could be suspicious on a
> non-mail server, but is just fine on a machine that
> is supposed to get
> mail.
>
>                                       Ryan

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/