Re: [TCLUG:5907] is sendmail safe?

To: tclug-list@listserv.real-time.com
Subject: Re: [TCLUG:5907] is sendmail safe?
From: Christopher McKinley <lamfada@brigid.lugh.net>
Date: Sun, 9 May 1999 10:56:06 -0500 (CDT)
In-Reply-To: <Pine.LNX.4.10.9905082205050.25413-100000@pclueyb>

Ben,
while it is possible that someone is trying to send you mail from this
system, judging from what the system is, I would say that it might be
compromised or there is an error in its port scanning software.  If you
look at teh system itself, its hostname is cfd2123a.eng.wayne.edu
(sendmail v8.8.7). They are running RedHat 5.1, linux kernel 2.0.34
(telnet), and they also run wu-ftp-2.4.2-academ[BETA-16] (telnet
141.217.13.25 21).  whois (whois 141.217.13.25@whois.arin.net) returns
Wayne State University in Detroit, MI, and whois wayne.edu returns the
same contact as ARIN, Matthew Lessins (m_lessins@wayne.edu).  I would
suggest sending a polite email reminding Mr. Lessins that he needs to
check the security on this machine as you seem to be getting port-scanned
from it.  Let him know that you are keeping copies of your logs, and give
him a number to reach you.  My bet is you won't hear from him, but they
will probably try to stop whatever is going on.

I have had similar problems because I use dsl, and one of the "systems"
which was attempting to touhc my box turned out to be an ISDN modem, so I
found out the ISP (simple, really), and let them know what happened & that
they had an insecure ISDN modem out there, and never heard back, but I
have not gotten attempts from that direction since - they either got bored
or my email did something.  In any case, it is worth letting the admin
know of the potential.

-Chris

On Sat, 8 May 1999, Ben Luey wrote:

> My computer got another port scan / possible attack. To the outside world,
> everything is denied but smtp and web, but I log all attempts to use imap
> and telnet. My logs show that this ip address tried lots of attempts to
> imap and telnet. Also a syn to 1114, which I think was just a random port
> scan. Then I noticed that Sendmail gave me this messages:
> 
> maillog:May  8 14:15:46 pclueyb sendmail[24808]: NOQUEUE: Null connection
> from IDENT:root@[141.217.13.25]
> maillog:May  8 14:15:58 pclueyb sendmail[24810]: NOQUEUE: [141.217.13.25]:
> expn root                   
> 
> What does that mean? Also is sendmail-8.9.3-10 (rh 6.0 default) safe, or
> should I look into something else?
> 
> 
> 
> Ben Luey
> lueyb@carleton.edu
> ICQ: 19144397
> 
> So the GOP thinks the American public has a short-term memory. Well, I have
> one word for them -- potatoe.       
>         -- Karen Baird, Letters to Editor, San Francisco Chronicle 12/17/98
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@listserv.real-time.com
> For additional commands, e-mail: tclug-list-help@listserv.real-time.com
> Try our website: http://tclug.real-time.com
> 
>

References:
- is sendmail safe?
  - From: Ben Luey <lueyb@carleton.edu>

Prev by Date: Re: [TCLUG:5907] is sendmail safe?
Next by Date: Interview with LINUX Creator
Prev by thread: Re: [TCLUG:5907] is sendmail safe?
Next by thread: Interview with LINUX Creator
Index(es):
- Date
- Thread