[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] Weird user on my SMTP

Subject: RE: [cobalt-security] Weird user on my SMTP
From: "Drage, Nicholas" <nickd@xxxxxxxxx>
Date: Mon, 26 Mar 2001 13:32:25 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> -----Original Message-----
> From: Colin J. Raven [mailto:cjraven@xxxxxxxxxxx]
> Sent: 25 March 2001 17:15

> On Sun, 25 Mar 2001, Carrie Bartkowiak wrote:
> 
> > > When I use Netstat -a to see what's happening on my box i keep
> > > seeing this user on my smtp port.
> > > tcp        0      0 128.242.221.53:smtp     213.201.148.18:62702
> > > TIME_WAIT

What entries do you see in your /var/log/maillog file relating to this?

> > After you added him to your hosts.deny file, did you try turning off
> > email so that he'd be disconnected, then turning it back on?

Sendmail isn't started by the inetd, so its connections won't be restricted
by tcp wrappers anyway ( I *think* there's a kludgey way of getting it to
use tcp_wrappers but I'm sticking to basics for now).

Reading "man tcpd" and the contents of /usr/doc/tcp_wrappers-7.6 is
definitely worth your time.

> > You might also want to check your email parameters and make 
> > sure this IP isn't allowed to send out mail; could be that he's 
> > hooked up to you and using you for a spam machine. (Make sure
> > that he's listed in the GUI for not being able to connect also.)

Good advice, but are you sure these connections aren't just the tail end of
the legitimate delivery of mail?

Considering that the source address quoted above has an MTA listening on
port 25 these connections possibly aren't as malicious as you think.

> How recently have you done a check to see if you've been haqd?

That's the next step....

> I'd restart inetd too, to load all network services back up 
> again.

Not relevant to this problem, sendmail is started by
/etc/rc.d/init.d/sendmail so unless you've done some serious playing with
your RaQ the inetd isn't involved.

> IIRC (correct me if I'm off-base anyone please) restarting inetd 
> will make the sytem go look at hosts.allow and deny and reload 'em.

No, as far as I can tell alterations to the files take immediate effect.  A
30 second test on a local box shows this, and I can't see any mention
otherwise after a *quick* scan of the documentation.

( btw - all of the above is relating to the RaQ3, but I don't expect the
above has changed drastically on later versions ).

( also note, be careful when playing with /etc/hosts.allow, make sure you
don't lock yourself out ).

-- 
Nick Drage - Security Architecture - Demon Internet - Thus PLC
As of Mon 26/03/2001 at  9:00 
This computer has been up for 5 days, 16 hours, 0 minutes, 18 seconds.

Follow-Ups:
- RE: [cobalt-security] Weird user on my SMTP
  - From: Colin J. Raven

Prev by Date: Re: [cobalt-security] Re: checking for haqs
Next by Date: RE: [cobalt-security] Weird user on my SMTP
Previous by thread: Re: [cobalt-security] Weird user on my SMTP
Next by thread: RE: [cobalt-security] Weird user on my SMTP

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index