[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Weird sendmail occurence -- please advise
- Subject: Re: [cobalt-security] Weird sendmail occurence -- please advise
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sat, 1 Feb 2003 11:58:39 +0100
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Glenn,
> I just saw a strange attack on my Cobalts that serve mail.
>
> Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
> [192.168.5.5]: EXPN root [rejected]
>
> Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
> [192.168.5.5]: VRFY root [rejected]
>
> Can anyone explain what happened here? It looks like I'm getting hacked
> from my firewall!?
See this: http://www.demarc.com/arachnids/IDS31/research.html
Quote from that page: "expn is a valid part of the SMTP protocol, however it
is not commonly used to gather information about system accounts such as
root. This behavior is indicative of a probe."
--
With best regards,
Michael Stauber