Security Incidents mailing list archives
RE: Sendmail DOS ?
From: Steve Halligan <giermo () geeksquad com>
Date: Wed, 27 Mar 2002 15:12:49 -0600
This is from the NetSaint (a host monitoring tool) mailing list today: "Has anyone found a good way to eleminate the "NOQUEUE" messages which check_smtp produces in sendmail's logs? I took a look at the options for check_smtp and there was nothing there which would allow me to send something to the machine to make it into a non-null connect. Ideas?" Looks like Michael does have a host monitor (NetSaint Specifically) pointed at you -Steve --
Seems like maybe Michael set up a host monitor and put in the wrong IP? WhatsUP doesn't issue a "quit" AFAIK but will do all the rest of that communication. Maybe polling is set for 70 seconds. There are other host monitors out there and it may be one of those or home grown. Try web to port 80 or 8080 of the sending IP and see if you get anything? or... nmap the sending host and try a http connection to the open ports. I would think it is a simple typo. It may be hard to track Michael down since it may be a user account on bt.com ...ken Wednesday, March 27, 2002, 5:30:37 AM (GMT-5), you wrote:Greetings,i just wondered if anyone can help me out with a possibleincident / DOS.for the past 10 hours or so i have been getting sendmail logentries like..... Mar 27 06:30:19 hostname sendmail[690]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:31:29 hostname sendmail[752]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:32:39 hostname sendmail[792]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:33:49 hostname sendmail[834]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:34:59 hostname sendmail[896]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA .... continuous ......they are happening every 1 min and 10 seconds roughly and asi said beengoing on for about 10-12 hours. all from the same host... Ive sniffed the traffic and captured the whole session. itsquite short andi have recreated it from another machine below ....-- Start Session -- Connected to *.*.*.*. Escape character is '^]'. 220 hostname.net ESMTP Sendmail 8.10.2/8.10.2; Wed, 27 Mar2002 09:02:13 GMTEHLO michael 250-hostname.net Hello **.*****.com [*.*.*.*], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 2097152 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH PLAIN 250 HELP500 5.5.1 Command unrecognized: "" AUTH PLAIN 334 = AHZpYXVrAA== 500 5.7.0 authentication failed QUIT 221 2.0.0 hostname.net closing connection -- End Session --I dont understand what this persons trying to do as itsusing the samepassword each time and using this same michael hostname. so it appears not to be a Bruteforce.Is this just a small pointless automated DOS or coudl it besomething moreworrying ? could anyone shed any light on this or offer any advice. I know i coudl justadd to hosts.denybut im just trying to figure out why its going on and prevent it happening again.any suggestions/ linkage would be great.many thanks.fraggaps i made a post on here before but it got returned ... dunno why :(--------------------------------------------------------------- ------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Sendmail DOS ? Fragga (Mar 27)
- Re: Sendmail DOS ? Ken Lyon (Mar 27)
- Re: Sendmail DOS ? Micheal Patterson (Mar 27)
- <Possible follow-ups>
- RE: Sendmail DOS ? Steve Halligan (Mar 27)
- RE: Sendmail DOS ? Hugo van der Kooij (Mar 27)