Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Maillog Suspicious

From: dengue () DEADLY ORG (James Phillips)
Date: Wed, 12 Jan 2000 01:48:46 +0000

On Wed, 12 Jan 2000, flirtingboy20 wrote:

->Hi all, I am a bit new to Linux Administrator, and are trying my best to make my box very secure. So I've looked at 
my log files
->in /var/log and found something very strange. Here is the log:
->
->Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
->Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
->Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
->Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
->Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] 
(212.160.14.149)
->Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
->Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
->Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news
->Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster
->Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo
->Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode
->Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
->Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack?
->Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin
->Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
->
->Can anyone tell me exactly what this all mean?
->
->O yeah and another thing, which files to I check to look for port probing?
->
->Many Thanks
->Adriaan
->
Someone, in this case the user at pal149.zgora.ppp.tpnet.pl, telneted to
your smtp server and attempted to see if you were succeptable to a number
of sendmail vulnerabilities. First they attempted to put sendmail into
"debug" mode, the other expn commands were attempts to verify certain mail
aliases, such as majordomo. There is a recent majordomo local user
exploit running around, it looks like they were looking for common
services and vulnerabilities. It pretty much looks just like example's
straight out of O'Reilly's Sendmail book. Unless you have been modifying
the sendmail source, SMTPDEBUG isn't enabled. The EXPN commands, which are
often abused by spammers and the like can be disabled by adding:

# privacy flags
O PrivacyOptions=goaway

to your sendmail.cf file, or if you prefer m4, by adding:

# privacy flags
_OPTION(PrivacyOptions, `confPRIVACY_FLAGS', goaway)

to whichever m4 file you build your sendmail.cf from.

I hope this helps out.

--
        james r phillips        OpenBSD diary   http://www.deadly.org
Previous By Date Next
Previous By Thread Next

Current thread: