Security Incidents mailing list archives
Re: Maillog Suspicious
From: lwcashd () BIW COM (Larry W. Cashdollar)
Date: Tue, 11 Jan 2000 22:49:51 -0500
This looks like a scanner judging by the short distance in time between probes. It appears they are looking for old sendmail vulnerabilities (DEBUG) and possibly trying to enumerate local accounts. The account probing also could be an attempt to determine your OS. On Wed, Jan 12, 2000 at 12:03:45AM +0200, flirtingboy20 wrote:
Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] (212.160.14.149) Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack? Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Can anyone tell me exactly what this all mean? O yeah and another thing, which files to I check to look for port probing?
/var/log/messages but I doubt you will see much these days as crackers now use nmap with stealth scanning techniques to avoid detection. This scanner is capable of scanning your machine with out generating log entires because it doesnt complete the normal TCP 3-way handshake. If you want you can read up on it at www.insecure.org. If you want to log entires or block them I would use ipchains for linux. (or snort if you want to passivly watch them). -- Larry I apologize for any typos, I have a bandaid on my finger.
Many Thanks Adriaan
-- print pack"H2","7c";print pack"H39","4c6172727920572043617368646f6c6c61720909"; print pack"H44","0909556e69782041646d696e6973747261746f720a";print pack"H2","7c"; print pack"H52","436f6d707574657220536369656e63657320436f7270090909";#use perl print pack"H24","5065726c20697320436f6f6c";print pack"H6","0a7c0a";
Current thread:
- An Embryonic Counterintelligence Tool, (continued)
- An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
- Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
- Maillog Suspicious flirtingboy20 (Jan 11)
- Re: Maillog Suspicious David A. Bandel (Jan 11)
- Re: Maillog Suspicious James Phillips (Jan 11)
- Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
- Attempted port scans. Steve (Jan 11)
- Re: Maillog Suspicious Khetan Gajjar (Jan 11)
- Text file monitor? Luther Trammel (Jan 12)
- Re: Text file monitor? James A Kennemore Jr (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Port 4 Daniel Jacobowitz (Jan 11)