Security Incidents mailing list archives
sendmail attack?
From: Brian M <brian () THEWORKS COM>
Date: Tue, 26 Sep 2000 20:49:04 GMT
Recently one of my friends boxes was almost compromised by what appeared to be a sendmail attack. This box is running openbsd 2.6 and was using sendmail 8.11.0. All other known security issues have been patched and is not running Horde or IMP. It looks like the attacker either used an edited version of a linux exploit or didn't know much about openbsd in general because two files were edited /etc/passwd and /etc/shadow. Two users were added: ftpd::0:0:ftpd:/:/bin/sh httpd::5555:5555:httpd:/:/bin/sh ftpd::0:0:ftpd:/:/bin/sh httpd::5555:5555:httpd:/:/bin/sh as you can see the attack was tried twice. It then tried to email either the attacker or someone else but the email bounced and thats how the attack was noticed. Heres a snip from the logs: Sep 15 17:02:16 ns sendmail[7730]: e8G02GE07730: from=username, size=36, class=0, nrcpts=1, msgid=<200009160002.e8G02GE07730@ns .somedomain.com>, relay=root@localhost Sep 15 17:02:18 ns sendmail[9481]: e8G02GN31800: to=kx2246 () gmx net, ctladdr=username (1000/0), delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=32834, relay=mx0.gmx.net. [213.165.64.100], dsn=5.1.1, stat=User unknown The attack targeted the username that belongs to the owner of the box so i doubt it was chosen at random. Unfortunately snort was not running at the time :( If anyone has seen something like this or knows of a sendmail 8.11.0 exploit floating around any info is appreciated. Thanks in advance. Brian
Current thread:
- sendmail attack? Brian M (Sep 27)