Security Incidents mailing list archives
Re: Maillog Suspicious
From: david () PANANIX COM (David A. Bandel)
Date: Tue, 11 Jan 2000 20:41:14 -0500
flirtingboy20 wrote:
Hi all, I am a bit new to Linux Administrator, and are trying my best to make my box very secure. So I've looked at my log files in /var/log and found something very strange. Here is the log: Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
just a probe
Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] (212.160.14.149)
an old exploit -
Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
expn = expand; he wants to know the user who is reading root's mail -- it should be aliased to another user (you?) -- hope you're not reading mail as root.
Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack? Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Can anyone tell me exactly what this all mean?
make sure your sendmail.conf contains the following lines (if not, add them): O PrivacyOptions=authwarnings O PrivacyOptions=noexpn O PrivacyOptions=novrfy That will prevent anyone from doing what pa149 was apparently successfully doing to you.
O yeah and another thing, which files to I check to look for port probing?
Depends on your /etc/syslog.conf, but /var/log/messages would be a good place to start (but review your syslog config -- also depends on what daemons you have running -- get and run courtney.pl -- it will still catch most of the script kiddies who are scanning you).
Many Thanks Adriaan
Glad to help,
David A. Bandel
--
Focus on the dream, not the competition.
-- Nemesis Racing Team motto
Current thread:
- Re: Log tools?, (continued)
- Re: Log tools? Pauline van Winsen (Jan 18)
- AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)
- Re: AMD/Port 100099 and portmap CyberPsychotic (Jan 18)
- Large quantity of traffic from amazon.com - source_port 3000 Peter Bates (Jan 13)
- Re: Port 4 Lutz Pressler (Jan 12)
- Re: Port 4 Vanja Hrustic (Jan 13)
- New vulnerability (fwd) Alfred Huger (Jan 13)
- An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
- Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
- Maillog Suspicious flirtingboy20 (Jan 11)
- Re: Maillog Suspicious David A. Bandel (Jan 11)
- Re: Maillog Suspicious James Phillips (Jan 11)
- Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
- Attempted port scans. Steve (Jan 11)
- Re: Maillog Suspicious Khetan Gajjar (Jan 11)
- Text file monitor? Luther Trammel (Jan 12)