[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    sendmail attack?
From:       Brian M <brian () THEWORKS ! COM>
Date:       2000-09-26 20:49:04
[Download RAW message or body]

Recently one of my friends boxes was almost compromised by what appeared 
to be a sendmail attack.  This box is running openbsd 2.6 and was using 
sendmail 8.11.0.  All other known security issues have been patched and 
is not running Horde or IMP. It looks like the attacker either used an 
edited version of a linux exploit or didn't know much about openbsd in 
general because two files were edited /etc/passwd and /etc/shadow. Two 
users were added: 
ftpd::0:0:ftpd:/:/bin/sh
httpd::5555:5555:httpd:/:/bin/sh
ftpd::0:0:ftpd:/:/bin/sh
httpd::5555:5555:httpd:/:/bin/sh

as you can see the attack was tried twice. It then tried to email either 
the attacker or someone else but the email bounced and thats how the 
attack was noticed. Heres a snip from the logs:

Sep 15 17:02:16 ns sendmail[7730]: e8G02GE07730: from=username, size=36,
class=0, nrcpts=1, msgid=<200009160002.e8G02GE07730@ns
.somedomain.com>, relay=root@localhost
Sep 15 17:02:18 ns sendmail[9481]: e8G02GN31800: to=kx2246@gmx.net,
ctladdr=username (1000/0), delay=00:00:02, xdelay=00:00:02,
 mailer=esmtp, pri=32834, relay=mx0.gmx.net. [213.165.64.100], dsn=5.1.1,
stat=User unknown

The attack targeted the username that belongs to the owner of the box so 
i doubt it was chosen at random. Unfortunately snort was not running at 
the time :( If anyone has seen something like this or knows of a sendmail 
8.11.0 exploit floating around any info is appreciated.  Thanks in 
advance.

Brian 

[prev in list] [next in list] [prev in thread] [next in thread]