Sendmail DOS ?
From: Fragga (fragga@fragga.co.uk)Date: 03/27/02
- Previous message: Basil Hussain: "Excess SMTP traffic to non-mail host"
- Next in thread: Ken Lyon: "Re: Sendmail DOS ?"
- Reply: Ken Lyon: "Re: Sendmail DOS ?"
- Reply: Micheal Patterson: "Re: Sendmail DOS ?"
- Reply: Steve Halligan: "RE: Sendmail DOS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Fragga" <fragga@fragga.co.uk> To: <incidents@securityfocus.com> Date: Wed, 27 Mar 2002 04:30:37 -0600
Greetings,
i just wondered if anyone can help me out with a possible incident / DOS.
for the past 10 hours or so i have been getting sendmail log entries like.
....
Mar 27 06:30:19 hostname sendmail[690]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:31:29 hostname sendmail[752]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:32:39 hostname sendmail[792]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:33:49 hostname sendmail[834]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Mar 27 06:34:59 hostname sendmail[896]: NOQUEUE:
host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
.... continuous ......
they are happening every 1 min and 10 seconds roughly and as i said been
going on for about 10-12 hours. all from the same host...
Ive sniffed the traffic and captured the whole session. its quite short and
i have recreated it from another machine below ....
-- Start Session --
Connected to *.*.*.*.
Escape character is '^]'.
220 hostname.net ESMTP Sendmail 8.10.2/8.10.2; Wed, 27 Mar 2002 09:02:13 GMT
EHLO michael
250-hostname.net Hello **.*****.com [*.*.*.*], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE 2097152
250-DSN
250-ONEX
250-ETRN
250-XUSR
250-AUTH PLAIN
250 HELP
500 5.5.1 Command unrecognized: ""
AUTH PLAIN
334 =
AHZpYXVrAA==
500 5.7.0 authentication failed
QUIT
221 2.0.0 hostname.net closing connection
-- End Session --
I dont understand what this persons trying to do as its using the same
password each time and using
this same michael hostname. so it appears not to be a Bruteforce.
Is this just a small pointless automated DOS or coudl it be something more
worrying ? could anyone shed
any light on this or offer any advice. I know i coudl just add to hosts.deny
but im just trying to
figure out why its going on and prevent it happening again. any suggestions
/ linkage would be great.
many thanks.
fragga
ps i made a post on here before but it got returned ... dunno why :(
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Basil Hussain: "Excess SMTP traffic to non-mail host"
- Next in thread: Ken Lyon: "Re: Sendmail DOS ?"
- Reply: Ken Lyon: "Re: Sendmail DOS ?"
- Reply: Micheal Patterson: "Re: Sendmail DOS ?"
- Reply: Steve Halligan: "RE: Sendmail DOS ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
