Security Incidents mailing list archives
Re: Maillog Suspicious
From: dengue () DEADLY ORG (James Phillips)
Date: Wed, 12 Jan 2000 01:48:46 +0000
On Wed, 12 Jan 2000, flirtingboy20 wrote: ->Hi all, I am a bit new to Linux Administrator, and are trying my best to make my box very secure. So I've looked at my log files ->in /var/log and found something very strange. Here is the log: -> ->Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] ->Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] ->Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] ->Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] ->Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] (212.160.14.149) ->Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] ->Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root ->Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news ->Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster ->Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo ->Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode ->Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root ->Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack? ->Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin ->Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] -> ->Can anyone tell me exactly what this all mean? -> ->O yeah and another thing, which files to I check to look for port probing? -> ->Many Thanks ->Adriaan -> Someone, in this case the user at pal149.zgora.ppp.tpnet.pl, telneted to your smtp server and attempted to see if you were succeptable to a number of sendmail vulnerabilities. First they attempted to put sendmail into "debug" mode, the other expn commands were attempts to verify certain mail aliases, such as majordomo. There is a recent majordomo local user exploit running around, it looks like they were looking for common services and vulnerabilities. It pretty much looks just like example's straight out of O'Reilly's Sendmail book. Unless you have been modifying the sendmail source, SMTPDEBUG isn't enabled. The EXPN commands, which are often abused by spammers and the like can be disabled by adding: # privacy flags O PrivacyOptions=goaway to your sendmail.cf file, or if you prefer m4, by adding: # privacy flags _OPTION(PrivacyOptions, `confPRIVACY_FLAGS', goaway) to whichever m4 file you build your sendmail.cf from. I hope this helps out. -- james r phillips OpenBSD diary http://www.deadly.org
Current thread:
- AMD/Port 100099 and portmap, (continued)
- AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)
- Re: AMD/Port 100099 and portmap CyberPsychotic (Jan 18)
- Large quantity of traffic from amazon.com - source_port 3000 Peter Bates (Jan 13)
- Re: Port 4 Lutz Pressler (Jan 12)
- Re: Port 4 Vanja Hrustic (Jan 13)
- New vulnerability (fwd) Alfred Huger (Jan 13)
- An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
- Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
- Maillog Suspicious flirtingboy20 (Jan 11)
- Re: Maillog Suspicious David A. Bandel (Jan 11)
- Re: Maillog Suspicious James Phillips (Jan 11)
- Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
- Attempted port scans. Steve (Jan 11)
- Re: Maillog Suspicious Khetan Gajjar (Jan 11)
- Text file monitor? Luther Trammel (Jan 12)
- Re: Text file monitor? James A Kennemore Jr (Jan 12)