[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] sendmail hack?

Subject: [cobalt-security] sendmail hack?
From: "Sean Ward" <planxty@xxxxxxxx>
Date: Wed, 9 Oct 2002 14:55:46 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

I have an entry in the logs like this:

7 04:44:02 ns sendmail[306]: NOQUEUE: Null connection from
24-90-190-122.nyc.rr.com [24.90.190.122] Oct  7 05:00:40 ns
in.qpopper[972]: (v?)

Followed by a legitimate pop login

After this, several logcheck files are considerably reduced (3K) and
only show the following info:

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Oct  7 05:30:45 ns named[554]: Cleaned cache of 19 RRsets
Oct  7 05:30:45 ns named[554]: USAGE 1033986645 1033109953
CPU=5.73u/3.09s CHILDCPU=0u/0s Oct  7 05:30:45 ns named[554]: NSTATS
1033986645 1033109953 A=1716 NS=1 CNAME=6 SOA=3 PTR=2292 MX=971 TXT=1
AAAA=238 38=228 ANY=764 Oct  7 05:30:45 ns named[554]: XSTATS 1033986645
1033109953 RR=3246 RNXD=92 RFwdR=2005 RDupR=0 RFail=5 RFErr=0 RErr=1
RAXFR=0 RLame=10 ROpts=0 SSysQ=1071 SAns=6905 SFwdQ=1476 SDupQ=134
SErr=0 RQ=7039 RIQ=1 RFwdQ=1476 RDupQ=3 RTCP=0 SFwdR=2005 SFail=0
SFErr=0 SNaAns=3319 SNXD=137 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0

As well, virtual sites were unavailable for a period of time and the
legitimate POP logins did not function.

Any ideas what I should do next?

Thanks,

Sean

Follow-Ups:
- Re: [cobalt-security] sendmail hack?
  - From: Mike Smith

References:
- Re: [cobalt-security] php on cobalt?
  - From: Kim Emax

Prev by Date: Re: [cobalt-security] chkrootkit output question
Next by Date: RE: [cobalt-security] chkrootkit output question
Previous by thread: Re: [cobalt-security] php on cobalt?
Next by thread: Re: [cobalt-security] sendmail hack?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index