Security Incidents mailing list archives
Re: SMTP server (How can I find out the real source of an attack)
From: Valdis.Kletnieks () vt edu
Date: Thu, 12 Jul 2001 21:59:32 -0400
On Thu, 12 Jul 2001 15:53:36 PDT, MrG <p2mask2_xti () yahoo com> said:
1.I have a SMTP server (behind my FW) who constantly (>7 times per second) is trying to establish a TCP=25
I know that my SMTP server has been compromise but
How do you *know* it's been compromised?
I've seen multiple systems that don't understand the meaning of "required
delay before retry" as per RFC1123 - systems that in their normally broken
state will retry over and over and over. I can sympathize with your
7x/sec - I once got hit by something that retried 10x/sec for about 2 days
before I finally found the owner and chastised them....
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
Attachment:
_bin
Description:
Current thread:
- SMTP server (How can I find out the real source of an attack) MrG (Jul 12)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- Re: SMTP server (How can I find out the real source of an attack Nick FitzGerald (Jul 17)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- RE: SMTP server (How can I find out the real source of an attack) Mike Batchelor (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) kath (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Mike Lewinski (Jul 16)
- <Possible follow-ups>
- RE: SMTP server (How can I find out the real source of an attack) Dean Cunningham (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)