Snort mailing list archives
Re: smtp rcpt to overflow
From: Edwin Eefting <edwin () bit nl>
Date: Wed, 5 Jun 2002 17:32:14 +0200 (CEST)
On Wed, 5 Jun 2002 10:44:42 -0400 Hugo Ferr <snortgrp () hotmail com> wrote:
'SMTP RCPT TO' overflow is buffer overflow for Lotus Sevrers. I have 7444 entries for the same exploit but I have sendmail server. All 744 come form the same address, it looks like guy is pretty persistent or he just cannot figuer out that this is not a Lotus server :-) Just want to double-check: this exploit cannnot cause any damage to sendmail systems, right?
Sometimes exploits have to be "bruteforced" for technical reasons. (finding the right offset on a stack for example) When someone is trying to bruteforce something, you'll see a lot of repetitions of the same alert rule. (maybe there should be added some "count option" for such exploits to these rules.) Most of the time however, this is some kind of false alert of weak rule. ("weak" in like: "many false positives") I wouldn't worry at all if you see alerts for a service you aren't running. (just some false positives, or some kind of idot :-) It might be interesting to search for other alerts from the same adress. If these do exist, this could be an indication of some hacker or scriptkiddo screwing around with your systems. :) Hope this helps, Edwin -- __________________ Met vriendelijke groet, /\ ___/ Edwin Eefting /- \ _/ Business Internet Trends BV /--- \/ __________________ _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: SMTP RCPT TO overflow, (continued)
- Re: SMTP RCPT TO overflow Ralf Hildebrandt (Apr 25)
- Re: SMTP RCPT TO overflow Jason Haar (Apr 25)
- Message not available
- Re: SMTP RCPT TO overflow Jason Haar (May 06)
- REMOVE Jason Haar from the list! Martin Forest (May 07)
- Re: REMOVE Jason Haar from the list! Matt Kettler (May 07)
- RE: REMOVE Jason Haar from the list! Jason Withrow (May 07)
- Re: REMOVE Jason Haar from the list! Jason Haar (May 07)
- Message not available
- RE: smtp rcpt to overflow Hugh Brown (Jun 05)
- RE: smtp rcpt to overflow Ted Stringer (Jun 05)
- Re: smtp rcpt to overflow Edwin Eefting (Jun 05)