Security Incidents mailing list archives

Re: Snort SMTP expn-root

From: phil.dyer () MINDSPRING COM (dyer)
Date: Thu, 6 Jul 2000 22:26:24 -0400


"Oxenreider, Jeff" wrote:

Last night at around 7pm EST I got these two log entries from my IDS server.

Jul  5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
-> XXX.XXX.XXX.10:25
Jul  5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
-> XXX.XXX.XXX.10:25

Weird thing is that originating IP address is "lists.securityfocus.com".
I've been on these lists for over a month and this is the first time I've
ever seen this message come up in my IDS.

Anyone know why this may occur that I'm missing?


Yup. I got that too. A message was posted to the list containing some logs. In
the logs were the words 'expn root' (guess you'll get it again now ; ) Coming
in on port 25 and contains the keyword... must be something. Whoops.

See the thread "scan log and subsequent response from the host's ISP". Also
take a look in the directory named as the IP address of the 'attacker' under
your log directory. You can view the decoded packet and see the mail message.

Not to worry.... This time.

dyer

Current thread:

version.bind from zen.isi.edu, (continued)
- version.bind from zen.isi.edu Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Patrick Oonk (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
- Re: scan log and subsequent response from the host's ISP Dan Hollis (Jul 05)
  - Re: scan log and subsequent response from the host's ISP Talisker (Jul 10)
- Re: scan log and subsequent response from the host's ISP Pauel Loshkin (Jul 05)
- how to close security holes from nessus vulnerability scan report ? Chew Poh Chang (CAPL) (Jul 06)
- Snort SMTP expn-root Oxenreider, Jeff (Jul 06)
  - Re: Snort SMTP expn-root Joe McAlerney (Jul 06)
  - Re: Snort SMTP expn-root Bill Pennington (Jul 06)
  - Re: Snort SMTP expn-root dyer (Jul 06)
  - Simultaneous Attacks Harlan S. Barney, Jr. (Jul 06)
    - Re: Simultaneous Attacks Valdis Kletnieks (Jul 07)
    - Re: Simultaneous Attacks Ryan Russell (Jul 07)
    - Ehm... what? (Re: Simultaneous Attacks) Martin Macok (Jul 11)
    - Re: Simultaneous Attacks Richard Bejtlich (Jul 11)
- Re: scan log and subsequent response from the host's ISP Ejovi Nuwere (Jul 06)
- Re: scan log and subsequent response from the host's ISP Brooke, O'Neil (Jul 06)
  - Re: scan log and subsequent response from the host's ISP Jason Storm (Jul 07)
  - 6200/tcp Werner Iknaroff-Zhikovsky (Jul 09)
- Re: scan log and subsequent response from the host's ISP Michal Nazarewicz (Jul 07)

(Thread continues...)