[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Re: What does sendmail exploit look like in logs?
- Subject: Re: [cobalt-users] Re: What does sendmail exploit look like in logs?
- From: Paul Warner <pwarner@xxxxxxxxxxxxxxxxxx>
- Date: Thu Mar 6 19:20:02 2003
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> >Just started getting flooded with these...is this the result of the
latest
> >sendmail exploit?
> >
> >Mar 6 12:02:26 gizmo sendmail[11890]: NOQUEUE: nobody@[64.224.219.95]
did
> >not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
> >Mar 6 12:13:27 gizmo sendmail[12572]: NOQUEUE: [218.0.249.183] did not
> >issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> Nope - I don't believe so. We get it from various places everynow and
then.
> I think it's probably spammers looking for hosts running SMTP servers so
> they can come back later and try to get usernames.
>
> If you consistently get them from the same IP address you may want to tell
> them to go away via your access file or block them at the firewall
> entirely.
>
>
> If you have patched your copy of sendmail (according to CERT advisory) you
> would get messages from sendmail in your maillog like:
>
> 'Dropped invalid comments from header address'
>
> if they are trying to use this latest exploit.
>
> To verify that you have a patched version of sendmail you might like to do
> the following:
>
> strings /usr/sbin/sendmail | grep "Dropped invalid comments"
>
> and see that you get the line pop out!
Did that earlier this week and just confirmed with the strings
command as shown above. I guess it's just the effects of spam
hitting the fan...
Thanks for your help!
-- Paul