Hi all,
It looks as if this "doorknob twister" was using an automated
security tool called ISS. It can be obtained from
ftp://coast.cs.purdue.edu/pub/tools/unix/iss.
Enjoy,
-Ophir
*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_
Ophir Ronen Email: ophir @
connectsoft .
com
ConnectSoft Inc. Phone: (206) 803-5785
Pager: (206) 608-7430
*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_*_
On Fri, 25 Aug 1995 long-morrow @
CS .
YALE .
EDU wrote:
> It is definitely a sign that someone is scanning the system running sendmail for
> weaknesses.
>
> They are looking for three kinds:
>
> 1. 'guest' logins (which may or may not have a strong password) they can try to
> break into.
>
> 2. insecure aliases which pipe into programs (the uudecode alias).
>
> 3. sendmail bugs which are mostly found in earlier versions of sendmail
> (the attempt to turn on the wizard mode and the attempt to turn on the debug
> option which is not found in sendmail 8.6.12).
>
> These days the attempt may likely be an automated probe or scanner rather than a person
> typing in the commands manually.
>
> It looked like most of what the probe was looking for was foiled but you may want to
> take a look at the security of your 'lp' account (check for the prescence of a password,
> etc).
>
> - Morrow
>
>
> >From: jhb @
sun811 .
npt .
nuwc .
navy .
mil (John Balch)
> >Subject: Is this a break-in attempt?
> >To: Firewalls @
GreatCircle .
COM
> >Message-Id: <9508251200 .
AA01007 @
sun811 .
Npt .
NUWC .
Navy .
Mil>
> >Mime-Version: 1.0
> >Content-Type: MULTIPART/MIXED; BOUNDARY="Boundary (ID pKdyibW9cXBRV4vgrEK8Kg)"
> >X-Sun-Charset: US-ASCII
> >Sender: firewalls-owner @
GreatCircle .
COM
> >Precedence: bulk
> >Status: R
> >
> >
> >--Boundary (ID pKdyibW9cXBRV4vgrEK8Kg)
> >Content-type: TEXT/PLAIN
> >
> >I need some expert advice. The following showed up in the root mailbox
> >this morning. Is it an attempt to break in via sendmail? Was it successful?
> >(I can't see any evidence of success, but that doesn't mean anything.) Is it
> >possible to tell if the message was incoming or outgoing?
> >
> >
> >>From root Thu Aug 24 16:39 EDT 1995
> >Return-Path: <Mailer-Daemon>
> >Received: by sun811 (5.x/SMI-SVR4)
> > id AB02489; Thu, 24 Aug 1995 16:39:20 -0400
> >Date: Thu, 24 Aug 1995 16:39:20 -0400
> >From: Mailer-Daemon (Mail Delivery Subsystem)
> >Subject: Returned mail: User unknown
> >Message-Id: <9507282039 .
AB02489 @
sun811>
> >To: Postmaster
> >Content-Type: text
> >Content-Length: 343
> >X-Lines: 18
> >Status: RO
> >
> > ----- Transcript of session follows -----
> ><<< VRFY guest
> >550 guest... User unknown
> ><<< VRFY decode
> >550 decode... User unknown
> ><<< VRFY bbs
> >550 bbs... User unknown
> ><<< VRFY lp
> ><<< VRFY uudecode
> >550 uudecode... User unknown
> ><<< wiz
> >500 Command unrecognized
> ><<< debug
> >500 Command unrecognized
> ><<< QUIT
> >
> > ----- No message was collected -----
> >
> >All I know about security is what I've picked up here and I've never seen
> >anything like this before. Any opinions or advice would be appreciated.
> >
> >TIA
> >
> >John Balch
> >GPS Technologies Inc.
> >25 Enterprise Center
> >Middletown RI 02842
> >
> >--Boundary (ID pKdyibW9cXBRV4vgrEK8Kg)--
> >
>
References:
|
|
