[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Weird sendmail occurence -- please advise

Subject: Re: [cobalt-security] Weird sendmail occurence -- please advise
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Sat, 1 Feb 2003 11:58:39 +0100
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Glenn,

> I just saw a strange attack on my Cobalts that serve mail.
>
> Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
> [192.168.5.5]: EXPN root [rejected]
>
> Jan 31 11:06:14 mail sendmail[11500]: NOQUEUE: blinky.mydomain.com
> [192.168.5.5]: VRFY root [rejected]
>
> Can anyone explain what happened here? It looks like I'm getting hacked
> from my firewall!? 

See this: http://www.demarc.com/arachnids/IDS31/research.html

Quote from that page: "expn is a valid part of the SMTP protocol, however it 
is not commonly used to gather information about system accounts such as 
root. This behavior is indicative of a probe."

-- 

With best regards,

Michael Stauber

Follow-Ups:
- [cobalt-security] Is the list down?
  - From: webguroo

References:
- [cobalt-security] Weird sendmail occurence -- please advise
  - From: DNSAdmin

Prev by Date: [cobalt-security] Cobalt security resource location (automatic reminder)
Next by Date: [cobalt-security] Is the list down?
Previous by thread: [cobalt-security] Weird sendmail occurence -- please advise
Next by thread: [cobalt-security] Is the list down?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index