[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] lame server

On Fri, 2 Feb 2001, Diana Brake wrote:

> At 01:00 AM 1/31/01, Flash22 wrote:
> >On Tue, 30 Jan 2001, Rick Ewart wrote:
> > > I personally think its an attack on the server, of some sort, as I get
> > > Jan 30 12:40:32 www named[916]: Lame server on '19.66.241.207.in-addr.arpa'
> > > (in '19.66.241.207.in-addr.arpa'?): [192.67.14.16].53 't.ns.verio.net'
> >
> >I'd have been inclined to think you were just seeing an odd coincidence,
> >but i have one also, 6 minutes later....interesting
> >
> >The other interesting thing is i have no record in any other log file for
> >this ip address, so it's not a web hit , seems more like someone asked the
> >nameserver...
> >
> >Wonder if there's some nifty hack involving delegating a ptr back to
> >localhost...
> 
> Hi,
> I wonder about these things too...but I'm skeptical about this being a hack 
> attempt. I also got an entry from verio.net similar to yours in my logs. In 
> the past, I've gotten many "lame server" messages that appeared to be 
> related to a cobaltlist user and there have been many times I've come close 
> to asking onlist if there was someone who knew something about some lame 
> domain, or did they use such-and-such host because it was throwing lame 
> messages out.
> 
> I tend to think the Rudolfo was correct when he said these messages may be 
> appearing because our servers are doing reverse lookups on mail that it 
> receives. Wouldn't it make sense then that everyone on the list who has 
> reverse lookup enabled would get the same message in their logs when a 
> piece of mail is sent to the list by someone who is using DNS provided by 
> some of these appearantly third party providers?..and around the same time 
> makes sense too because our servers will each get a list message within 
> minutes of everyone else.
> 
>  From what little I know...*turning red* cause I know very little...but the 
> lame server messages don't concern me. It's the bad request messages that 
> "could" mean trouble. On a VERY slim possibility, these machines could have 
> been hijacked and being used for bad things.
> 
> I've often noticed a huge list of these:
> } Jun 2 06:21:32 gw-crest named[5504]: bad referral (com !< overstock.com)
> } Jun 2 08:22:44 gw-crest named[5504]: bad referral (com !< BIGFOOT.com)
> } Jun 4 02:05:59 gw-crest named[5504]: bad referral (FSU.EDU !< SCRI.FSU.edu)
> } Jun 4 02:26:23 gw-crest named[5504]: bad referral (121.34.216.in-addr.arpa
> } !< 0/25.121.34.216.in-addr.arpa)
> } Jun 4 02:26:30 gw-crest named[5504]: bad referral (121.34.216.in-addr.arpa
> } !< 0/25.121.34.216.in-addr.arpa)
> } Jun 4 02:35:04 gw-crest named[5504]: bad referral (78.199.in-addr.arpa !<
> } 177.78.199.in-addr.arpa)
> 
> right before a major portscan or long run of login attempts using anonymous 
> FTP or even as has happened several times recently..login attempts using 
> the admin ID. (don't mind the old date stamps...*grin..I grabbed the first 
> log that came up). Individual login attempts by someone using an id that 
> definitely isn't on the system..(they're guessing) are the ones I watch 
> for. If I see one of my own users having major troubles, I contact them to 
> find out what is going on. Usually they admit to forgetting their 
> password....:). They then tell me they remembered it later or I reset it 
> for them. Nobody has shell access on my machines but me.
> 
> If this doesn't make sense, maybe the security gurus will enlighten us 
> all...I know I for one could sure use the education..:)

Heh, well, some of it is just trying to picture how you would break in to
your own server if you wanted to ;)

It's astonishing how many nameservers are totally misconfigured, so yes,
i'd agree, 99% of the time lame server messages aren't worth worrying
about, even the bad referrels are just mostly symptoms of the same bad
configurations and are largely meaningless.

I keep a list of domain names of ISP's that my users use, so when
something odd appears i can easily check if it's reasonably possible it's
just a user that forgot/trashed their password, or some total stranger...
(oh how i wish isps gave everyone static IP's tho ;)

Rudolfo's theory has a hole in it, the mail server is only going to check
the address of the machine sending mail from the list, eg list.cobalt.com,
it can't see anything in the headers generally...(unless you are using
very fancy spam rules), so i don't think that is it, tho i suspect the
list provides a handy list of domain of people using cobalt hardware,
which can be a concern...

As to ftp scans, i have had 51 in 3 days....yeash...

One of them i did sucessfully trace back to a NT web server that seems to
have been badly compromised, the website was trashed and the thing has all
kinds of bogus ports listening that it shouldn't...so yes, i think there
is some reason to be a bit suspiscous of anything 'weird' that appears in
the logs, however there is really nothing you are going to do beyond
having a secure machine to start with, if your machine has a hole in it,
by the time you see somethign in a log file it's gonna be way too late and
you are going to be asking questions like "where did i put all my backup
files" -/

Stray thought, Someone posted in a different mesage about strange
complaints from sendmail like 'did not issue MAIL/EXPN/VRFY/ETRN during
connection to MTA'

This is a sure sign someone was checking to see what sendmail version you
are running since sendmail prints this out when you connect (by
default) and there's no reason to issue any other command if this was all
you wanted to know...

ok, i've rambled on and on way too long ;0