LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2003, 10:59 PM   #1
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Rep: Reputation: 31
Sendmail Attack


Today I noticed that my connection was a little slow and found that sendmail had a load of connections to different ips. When I looked at the log what I saw was alot of this:

Jun 28 15:46:03 bunny sendmail[29699]: h5SJVNNm029699: from=<5617l2xxs758y@ms32.hinet.net>, size=0, class=0, nrcpts=0, proto=
ESMTP, daemon=MTA, relay=NK219-91-21-8.adsl.pl.apol.com.tw [219.91.21.8]
Jun 28 15:46:03 bunny sendmail[29594]: h5SJLURR029594: from=<87mezyt768@ms28.hinet.net>, size=0, class=0, nrcpts=0, proto=ESM
TP, daemon=MTA, relay=NK219-91-21-8.adsl.pl.apol.com.tw [219.91.21.8]
Jun 28 15:46:04 bunny sendmail[29292]: h5SIq0xL029292: ruleset=check_rcpt, arg1=<changyun@seed.net.tw>, relay=[203.69.118.19]
, reject=550 5.7.1 <changyun@seed.net.tw>... Relaying denied. IP name lookup failed [203.69.118.19]
Jun 28 15:46:04 bunny sendmail[29791]: h5SJfLKO029791: ruleset=check_rcpt, arg1=<yu312@pchome.com.tw>, relay=NK219-91-21-8.ad
sl.pl.apol.com.tw [219.91.21.8], reject=550 5.7.1 <yu312@pchome.com.tw>... Relaying denied
Jun 28 15:46:04 bunny sendmail[29292]: h5SIq0xL029292: from=<steve@66.58.43.12>, size=0, class=0, nrcpts=0, proto=ESMTP, daem
on=MTA, relay=[203.69.118.19]
Jun 28 15:46:05 bunny sendmail[29699]: h5SJVNNn029699: ruleset=check_rcpt, arg1=<nriqaycf@yahoo.com.tw>, relay=NK219-91-21-8.
adsl.pl.apol.com.tw [219.91.21.8], reject=550 5.7.1 <nriqaycf@yahoo.com.tw>... Relaying denied
Jun 28 15:46:05 bunny sendmail[29292]: h5SIq0xM029292: ruleset=check_rcpt, arg1=<changyun@seed.net.tw>, relay=[203.69.118.19]
, reject=550 5.7.1 <changyun@seed.net.tw>... Relaying denied. IP name lookup failed [203.69.118.19]
Jun 28 15:46:05 bunny sendmail[29791]: h5SJfLKO029791: from=<324cik3a39@ms36.hinet.net>, size=0, class=0, nrcpts=0, proto=ESM
TP, daemon=MTA, relay=NK219-91-21-8.adsl.pl.apol.com.tw [219.91.21.8]
Jun 28 15:46:05 bunny sendmail[29594]: h5SJLURS029594: ruleset=check_rcpt, arg1=<wifp@yahoo.com.tw>, relay=NK219-91-21-8.adsl
.pl.apol.com.tw [219.91.21.8], reject=550 5.7.1 <wifp@yahoo.com.tw>... Relaying denied


Most of the attempts I could find a relaying denied line for but not all of them. Any chance that any got through?

Most of the relay attempts had hinet.net from address or from addresses consisting of the username steve and then an ip number.
Questions:
What was this guy trying to do? His messages werent being relayed so what was the point in persisting?

I have a dynamic ip with a dynamic dns hostname, the above is from my desktop machine. To give an idea of the extent of the problem:

cat info|grep "Relaying denied"|grep -c "Jun 28"
106408

 
Old 06-29-2003, 07:50 AM   #2
markus1982
Senior Member
 
Registered: Aug 2002
Location: Stuttgart (Germany)
Distribution: Debian/GNU Linux
Posts: 1,467

Rep: Reputation: 46
Well first of all. Do not worry regarding those relaying denied issues. This is pretty normal in these days on the internet. It is possible that this is a attack which is issued at you but it doesn't have to be the case due your dynamic ip.

I assume that the user before you got that ip had an open relay server and thus those many attempts to send mail over your host.
 
Old 06-29-2003, 12:54 PM   #3
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Original Poster
Rep: Reputation: 31
Quote:
I assume that the user before you got that ip had an open relay server
Duh! Of course, that hadnt even occurred to me. Thanks.
 
Old 07-02-2003, 02:09 PM   #4
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
You may want to consider putting in a firewall rule to block incoming connections from those IP addresses or networks. Chances are slim to none that any of those 100000 relay attempts are legitimate email.
 
Old 07-04-2003, 05:08 AM   #5
m0rl0ck
Member
 
Registered: Nov 2002
Distribution: A totally 133t distro :)
Posts: 358

Original Poster
Rep: Reputation: 31
Quote:
You may want to consider putting in a firewall rule to block incoming connections

Their in my sendmail access file with a REJECT flag. I think that might do it. Though I thought about a snort rule that would keep track of attempts too.
Rather than drop or reject them at the firewall Id like to keep detailed track of a next attempt if their is one.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
What attack could this be??? darrel Linux - Security 10 02-26-2005 11:10 PM
What to do during an attack? revenant Linux - Security 9 04-02-2004 01:18 AM
hacker attack? zetsui Linux - General 4 08-04-2003 07:03 AM
Help I am UNDER ATTACK... needamiracle Linux - Security 28 04-22-2003 01:06 PM
Any attack? vcheah Linux - Security 1 12-07-2001 02:26 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration