Security Incidents mailing list archives
Re: Attacks on port 25
From: xm () GEEKMAFIA DYNIP COM (Jon Williams)
Date: Mon, 29 May 2000 20:37:40 -0400
Sounds like someone is trying to drop your sendmail daemon into debug mode. Older, misconfiged versions would let a remote user do this and a whole load of BAD things. Ex Machina (xm () geekmafia dynip com) http://geekmafia.dynip.com/~xm/ (I need a job.... Resume available at webpage...) phone: 1-877-LPT-WHIP icq: 3387005 aim: ExMachina GnuPG Keyprint: 0627 C3A8 DE25 F7FB 46BD 4870 2006 CF7F EBDA 949D On Sun, 28 May 2000, Bill Lavalette wrote:
Date: Sun, 28 May 2000 19:28:55 -0500 From: Bill Lavalette <operations () NDRSNET COM> To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Attacks on port 25 I have been getting that too... our IDS system sees it as this 'Email_Debug' event detected by the RealSecure engine at 'freakory'. Details: Source Address: 207.126.127.68 Source Port: 55058 Source MAC Address: 00:20:6F:05:2D:BE Destination Address: 216.200.165.211 Destination Port: E-mail (25) Destination MAC Address: 00:10:5A:22:1D:B0 Time: Friday, May 19, 2000 01:27:24 Protocol: TCP (6) Priority: high Actions mask: 0x245 I have about a 150 of these such alerts any clue what is going on? Regards Bill Bill Lavalette Security/Systems Admin ndrs.com Dallas Texas NOC http://www.ndrs.com PH:817.652.3882 Email: Operations () ndrsnet com -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Ryan Russell Sent: Friday, May 26, 2000 4:28 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Attacks on port 25 On Fri, 26 May 2000, Vincent Lim wrote:=-=-=-=-=-=-=-=-=-=-=-=-=-= May 26 11:01:27 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: f139.law8.hotmail.com/216.33.241.139 to TCP port: 25Well, basiclly it's indicating that you're getting connections to port 25. This would indicate people probing for mail servers. This might be considered hostile *IF* you're not running a mail server. I suspect you're running a mail server on that port, and other mail servers are just trying to send you mail. By alerting on and blocking these machines, you're cutting your mail access off.May 26 11:28:21 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: lists.securityfocus.com/207.126.127.68 to TCP port: 25 May 26 11:28:21 pop3 portsentry[358]: attackalert: Host: lists.securityfocus.com/207.126.127.68 is already blocked Ignoring As you can see... list.securityfocus.com is among the attackers. What could this mean?It means you're subscribed to one of our lists... and you're probably not going to get this reply. :) I can say pretty confidently that we're not attacking you in any way. I think you're just monitoring for acticivty which could be suspicious on a non-mail server, but is just fine on a machine that is supposed to get mail. Ryan
Current thread:
- Re: Attacks on port 25 Jon Williams (May 29)
- <Possible follow-ups>
- Re: Attacks on port 25 Rhino Bond (May 30)