[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Weird sendmail occurence -- please advise
- Subject: [cobalt-security] Weird sendmail occurence -- please advise
- From: DNSAdmin <dnsadmin@xxxxxxxxxxxxx>
- Date: Fri, 31 Jan 2003 12:42:28 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hello All,
I just saw a strange attack on my Cobalts that serve mail.
I have two T-1 networks that were involved with this message. In order to
protect the inocent, hypothetically lets saw network A has a valid Internet
IP range of 10.1.1.0/24 and another disjoint network B of 192.168.5.0/24.
I have a firewall on 192.168.5.0/24 at blinky.mydomain.com [192.168.5.5]
I have a mail server on 10.1.1.0/24 at mail.mydomain.com
Here is what I got from LogSentry the last hour:
Subject: mail.mydomain.com 01/31/03:12.00 ACTIVE SYSTEM ATTACK!
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
[192.168.5.5]: EXPN root [rejected]
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
[192.168.5.5]: VRFY root [rejected]
Security Violations
=-=-=-=-=-=-=-=-=-=
Jan 31 11:00:02 mail imapd[11134]: Login failure user=Active_Monitor_69
host=localhost [127.0.0.1]
Jan 31 11:05:27 mail in.qpopper[11478]: EOF from at 192.168.5.5
(blinky.mydomain.com): [0] 29 (Illegal seek); 0 (Success)
Jan 31 11:05:27 mail in.qpopper[11478]: (null) at blinky.mydomain.com
(192.168.5.5): -ERR POP EOF or I/O Error: 29 (Illegal seek); 0 (Success)
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
[192.168.5.5]: EXPN root [rejected]
Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
[192.168.5.5]: VRFY root [rejected]
Jan 31 11:06:38 mail sendmail[11532]: LAA11532: ruleset=check_mail,
arg1=blade@lans, relay=blinky.mydomain.com [192.168.5.5], reject=501
blade@xxxxxxx Sender domain must exist
Can anyone explain what happened here? It looks like I'm getting hacked
from my firewall!? Is there something I am not understanding here?
Thanks,
Glenn