Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Maillog Suspicious

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Tue, 11 Jan 2000 22:32:45 -0500

On Wed, 12 Jan 2000, flirtingboy20 wrote:


Can anyone tell me exactly what this all mean?


looks like someone is trying to enumerate your accounts via Sendmail. the
EXPN and VRFY (expand and verify, respectively) help people find and abuse
known accounts and holes. one shining example is the majordomo probing.
given that majordomo has a hole pointed out recently (for local shell
escalation, see BUGTRAQ vulnerability id 903).


O yeah and another thing, which files to I check to look for port probing?


depends on what you log and where. i run port scan detection daemons which
log to syslog, and i also do TCP accounting (yes, very large but handy
logs), also in the syslog. also check the logs used specifically by
various services (ie xferlog, maillog, httpd logs).

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Previous By Date Next
Previous By Thread Next

Current thread: