[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Weird user on my SMTP
- Subject: RE: [cobalt-security] Weird user on my SMTP
- From: "Colin J. Raven" <cjraven@xxxxxxxxxxx>
- Date: Mon, 26 Mar 2001 07:57:49 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
>> -----Original Message-----
>> From: Colin J. Raven [mailto:cjraven@xxxxxxxxxxx]
>> Sent: 25 March 2001 17:15
>
>> On Sun, 25 Mar 2001, Carrie Bartkowiak wrote:
>>
>> > > When I use Netstat -a to see what's happening on my box i keep
>> > > seeing this user on my smtp port.
>> > > tcp 0 0 128.242.221.53:smtp 213.201.148.18:62702
>> > > TIME_WAIT
>
>What entries do you see in your /var/log/maillog file relating to this?
>
>> > After you added him to your hosts.deny file, did you try
>turning off
>> > email so that he'd be disconnected, then turning it back on?
>
>Sendmail isn't started by the inetd, so its connections won't
>be restricted
>by tcp wrappers anyway ( I *think* there's a kludgey way of
>getting it to
>use tcp_wrappers but I'm sticking to basics for now).
>
>Reading "man tcpd" and the contents of /usr/doc/tcp_wrappers-7.6 is
>definitely worth your time.
>
>> > You might also want to check your email parameters and make
>> > sure this IP isn't allowed to send out mail; could be that he's
>> > hooked up to you and using you for a spam machine. (Make sure
>> > that he's listed in the GUI for not being able to connect also.)
>
>Good advice, but are you sure these connections aren't just
>the tail end of
>the legitimate delivery of mail?
>
>Considering that the source address quoted above has an MTA
>listening on
>port 25 these connections possibly aren't as malicious as you think.
>
>> How recently have you done a check to see if you've been haqd?
>
>That's the next step....
>
>> I'd restart inetd too, to load all network services back up
>> again.
>
>Not relevant to this problem, sendmail is started by
>/etc/rc.d/init.d/sendmail so unless you've done some serious
>playing with
>your RaQ the inetd isn't involved.
>
>> IIRC (correct me if I'm off-base anyone please) restarting inetd
>> will make the sytem go look at hosts.allow and deny and reload 'em.
>
>No, as far as I can tell alterations to the files take
>immediate effect. A
>30 second test on a local box shows this, and I can't see any mention
>otherwise after a *quick* scan of the documentation.
>
>( btw - all of the above is relating to the RaQ3, but I don't
>expect the
>above has changed drastically on later versions ).
>
>( also note, be careful when playing with /etc/hosts.allow,
>make sure you
>don't lock yourself out ).
>
No no no....I was referring to hosts.allow, hosts.deny. inted should be
restarted if changes are made to either of those files no???? I wasn't
referring to sendmail.
Dammit...I don't have man pages for tcpd on my system...how completely
wierd!!!!!!!!!!!!!
I gotta find another box around here or someplace else that *does* have
those pages.
<scratching head in puzlement> I still don't understand why I don't have
'em.
-Colin