[prev in list] [next in list] [prev in thread] [next in thread]
List: incidents
Subject: sendmail attack?
From: Brian M <brian () THEWORKS ! COM>
Date: 2000-09-26 20:49:04
[Download RAW message or body]
Recently one of my friends boxes was almost compromised by what appeared
to be a sendmail attack. This box is running openbsd 2.6 and was using
sendmail 8.11.0. All other known security issues have been patched and
is not running Horde or IMP. It looks like the attacker either used an
edited version of a linux exploit or didn't know much about openbsd in
general because two files were edited /etc/passwd and /etc/shadow. Two
users were added:
ftpd::0:0:ftpd:/:/bin/sh
httpd::5555:5555:httpd:/:/bin/sh
ftpd::0:0:ftpd:/:/bin/sh
httpd::5555:5555:httpd:/:/bin/sh
as you can see the attack was tried twice. It then tried to email either
the attacker or someone else but the email bounced and thats how the
attack was noticed. Heres a snip from the logs:
Sep 15 17:02:16 ns sendmail[7730]: e8G02GE07730: from=username, size=36,
class=0, nrcpts=1, msgid=<200009160002.e8G02GE07730@ns
.somedomain.com>, relay=root@localhost
Sep 15 17:02:18 ns sendmail[9481]: e8G02GN31800: to=kx2246@gmx.net,
ctladdr=username (1000/0), delay=00:00:02, xdelay=00:00:02,
mailer=esmtp, pri=32834, relay=mx0.gmx.net. [213.165.64.100], dsn=5.1.1,
stat=User unknown
The attack targeted the username that belongs to the owner of the box so
i doubt it was chosen at random. Unfortunately snort was not running at
the time :( If anyone has seen something like this or knows of a sendmail
8.11.0 exploit floating around any info is appreciated. Thanks in
advance.
Brian
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic