Re: [cobalt-security] Sendmail attacks

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Parker,

> Nov  5 23:02:38 bluebird sendmail[16695]: hA642aR16695: POSSIBLE ATTACK
> from ANantes-106-1-18-206.w81-49.abo.wanadoo.fr: newline in string
> "geqigpuayu^M "
>
> ...but of course, the IP/hostname changes nearly every time. There's no
> consistent pattern.
>
> I'd say these have gone from one per week to fifteen or twenty per day
> over the course of the last week. Is anyone else seeing this?

No, I haven't seen these in quite a while. 

As far as I know it targets a pretty old vulnerability - not even one of the 
recently detected three ones. I think this one was discovered back in 1995 
and since then this logging mechanism is part of Sendmail.

The logging in specific is generated by sendmail/util.c and is part of the 
stock Sendmail-8.10.2 code.

The input parser of Sendmail checks if there are newline characters in places 
where there should be none. If a string too long is received, then it is 
shortened. If a newline is added where there should be none, then the input 
is truncated, too and the above warning appears in the maillog.

If you don't have french customers, then you might possibly consider blocking 
wanadoo.fr in general - although that's a bit drastic. But as far as I can 
tell the Sendmail you have should reasonably protect you against this 
exploit. 

OTOH in regards to attacks: In the last couple of days I've heard from 
multiple people (and had to endure these scans myself) that there are 
currently tons of automated scans against FTP - with the username admin. 
These scans seem to be automated and appear to go to multipe IP-addresses in 
the same subnet at the same time. 

So a quick reminder to all with easy to guess or dictionary based admin 
passwords: Change your admin password to something at least 8 characters 
long, mix upper case and lower case and throw in some letters and special 
characters.

-- 

With best regards,

Michael Stauber