"Eric L. Damron" wrote:
>
> I have found that people unknown are attacking my linux box! The following
> entries were found in maillog:
Below are explanations of what the little cracker is trying to do...
> Sep 15 07:09:07 C287853-A sendmail[1979]: NOQUEUE: [157.89.64.77]: VRFY
> guest
Check to see if the 'guest' user exists.
> Sep 15 07:09:07 C287853-A sendmail[1980]: NOQUEUE: [157.89.64.77]: VRFY
> decode
Check to see if the 'decode' user exists.
> Sep 15 07:09:07 C287853-A sendmail[1981]: NOQUEUE: [157.89.64.77]: VRFY bbs
Check to see if the 'bbs' user exists.
> Sep 15 07:09:07 C287853-A sendmail[1982]: NOQUEUE: [157.89.64.77]: VRFY lp
Check to see if the 'lp' user exists.
> Sep 15 07:09:07 C287853-A sendmail[1983]: NOQUEUE: [157.89.64.77]: VRFY
> uudecode
Check to see if the 'uudecode' user exists.
> Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "wiz" command from
> [157.89.64.77] (157.89.64.77)
Check to see if you're running an OOOOLLLLDDDD version of Sendmail that
understood the 'wiz' command -- it gave superuser permissions. See the
O'Reilly Internet Security book for an explanation, it's got a safe on
the cover.
> Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "debug" command from
> [157.89.64.77] (157.89.64.77)
Check to see if another old version of Sendmail is running to exploit
the 'debug' command. Again, I'd refer you to the O'Reilly text.
> (WHAT THE HELL IS THE "WIZ" COMMAND. AND THE "DEBUG" COMMAND!!
Ancient Sendmail exploits.
> Please! If anyone knows what this jerk is trying to do and How I can stop
> him PLEASE let me know!
I wouldn't worry too much about this one. It's a script kiddy that
doesn't even know enough to check how old his scripts are (some of those
bugs are likely older than the cracker!).
I _would_, of course, forward those log files to the ISP that hosts
157.89.64.77 (I'm not able to get it to resolve with either 'host' or
'whois', maybe you'll have better luck?)
--
Steve Philp
Network Administrator
Advance Packaging Corporation
[EMAIL PROTECTED]
