Re: smtp rcpt to overflow

[Edwin Eefting <edwin () bit nl>]

On Wed, 5 Jun 2002 10:44:42 -0400 Hugo Ferr <snortgrp () hotmail com> wrote:

> 'SMTP RCPT TO' overflow is buffer overflow for Lotus Sevrers. I have 7444
> entries for the same exploit but I have sendmail server.
> All 744 come form the same address, it looks like guy is pretty
> persistent
> or he just cannot figuer out that this is not a Lotus server :-)
> Just want to double-check: this exploit cannnot cause any damage to
> sendmail
> systems, right?

Sometimes exploits have to be "bruteforced" for technical reasons. (finding
the right offset on a stack for example) When someone is trying to
bruteforce something, you'll see a lot of repetitions of the same
alert rule. (maybe there should be added some "count option" for such exploits
to these rules.)

Most of the time however, this is some kind of false alert of weak rule.
("weak" in like: "many false positives")

I wouldn't worry at all if you see alerts for a service you aren't running.
(just some false positives, or some kind of idot :-) It might be
interesting to search for other alerts from the same adress. If these do
exist, this could be an indication of some hacker or scriptkiddo screwing
around with your systems. :)

Hope this helps,
Edwin

-- 
                              __________________
Met vriendelijke groet,      /\ ___/          
Edwin Eefting               /- \ _/  Business Internet Trends BV
                           /--- \/           __________________


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users