[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Re: What does sendmail exploit look like in logs?
- Subject: [cobalt-users] Re: What does sendmail exploit look like in logs?
- From: Peter Frederick <pfred@xxxxxxxxx>
- Date: Thu Mar 6 13:42:00 2003
- Organization: Indiana Packers Corporation
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Thu, 06 Mar 2003 16:20:23 -0500, you wrote:
>Just started getting flooded with these...is this the result of the latest
>sendmail exploit?
>
>Mar 6 11:25:04 gizmo sendmail[9626]: NOQUEUE: nobody@[64.224.219.95] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 11:33:41 gizmo sendmail[10174]: NOQUEUE: nobody@[64.224.219.96] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 11:40:52 gizmo sendmail[10567]: NOQUEUE: nobody@[64.224.219.97] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 11:41:28 gizmo sendmail[10676]: NOQUEUE: nobody@[64.224.219.95] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 11:50:07 gizmo sendmail[11107]: NOQUEUE: nobody@[64.224.219.84] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:02:26 gizmo sendmail[11890]: NOQUEUE: nobody@[64.224.219.95] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:13:27 gizmo sendmail[12572]: NOQUEUE: [218.0.249.183] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:13:28 gizmo sendmail[12573]: NOQUEUE: [218.0.249.183] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:13:30 gizmo sendmail[12551]: NOQUEUE: [218.0.249.183] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:13:30 gizmo sendmail[12574]: NOQUEUE: [218.0.249.183] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:13:30 gizmo sendmail[12552]: NOQUEUE: [218.0.249.183] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:13:32 gizmo sendmail[12575]: NOQUEUE: [218.0.249.183] did not
>issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:13:40 gizmo sendmail[12512]: NOQUEUE: nobody@[64.224.219.96] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>Mar 6 12:16:14 gizmo sendmail[12614]: NOQUEUE: nobody@[64.224.219.97] did
>not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Nope - I don't believe so. We get it from various places everynow and then.
I think it's probably spammers looking for hosts running SMTP servers so
they can come back later and try to get usernames.
If you consistently get them from the same IP address you may want to tell
them to go away via your access file or block them at the firewall
entirely.
If you have patched your copy of sendmail (according to CERT advisory) you
would get messages from sendmail in your maillog like:
'Dropped invalid comments from header address'
if they are trying to use this latest exploit.
To verify that you have a patched version of sendmail you might like to do
the following:
strings /usr/sbin/sendmail | grep "Dropped invalid comments"
and see that you get the line pop out!
Cheers
Peter
>
>
>Paul
>
>
>_____________________________________
>cobalt-users mailing list
>cobalt-users@xxxxxxxxxxxxxxx
>To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
>http://list.cobalt.com/mailman/listinfo/cobalt-users
--
Peter Frederick
MIS Director, Indiana Packers Corp, Delphi IN
Phone: (765) 564-9705 Fax: (765) 564-3684
Work: pfred@xxxxxxxxx
Home: pjfred@xxxxxxxxxxxxx
============================================================================
'Tis better to light one candle than to curse the darkness a thousand times!