[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] What does sendmail exploit look like in logs?
- Subject: Re: [cobalt-users] What does sendmail exploit look like in logs?
- From: Paul Warner <pwarner@xxxxxxxxxxxxxxxxxx>
- Date: Thu Mar 6 19:11:03 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> > Just started getting flooded with these...is this the result
> > of the latest
> > sendmail exploit?
> >
> > Mar 6 11:25:04 gizmo sendmail[9626]: NOQUEUE:
> > nobody@[64.224.219.95] did
> > not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
> > Mar 6 12:13:27 gizmo sendmail[12572]: NOQUEUE:
> > [218.0.249.183] did not
> > issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> Weren't there other lines with those IP addresses? 218.0.249.183 is an
> open port 8080 server sending spam. The other I would guess may have
> been trying to VRFY for a dictionary attack. See if you can find 9626
> elsewhere up in the log with a No such user here message.
>
Dan-
I used grep to search for the IPs and these (and many more like
them) were the only ones in the maillog. There were no entries
in messages matching any of the IPs. I'm discarding all tcp
port:25 from 64.224.219.0/24 since there are multiple
addresses that are creating the first type where there is a
'nobody@'.
Is the 218.0.249.183 a _known_ open relay, or what is the
difference between the two? I have quite a few similar entries
in the last day or so from other ip addresses. I've run the
open-relay tests from several sources listed in the archives
(ORDB, etc) and confirmed that I am NOT an open relay, nor
listed as one...
-- Paul