|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Checking for sendmail attacked (was Re: SA-03:04.sendmail Bin Update)
From: Mike Tancsa (mike
sentex.net)
Date: Tue Mar 04 2003 - 11:46:38 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 09:06 AM 04/03/2003 -0600, Jacques A. Vidrine wrote:
>The patch added a new log message which you can check for. Do
>`strings /path/to/sendmail | grep Dropped'.
>
> % strings ./sendmail-4.6-i386-crypto.bin| grep Dropped
> Dropped invalid comments from header address
Interesting, I am seeing this show up in my logs due to some poorly
formatted spam. (LOGLevel up to 12)
smtp1# grep h24HAgAi019889 maillog
Mar 4 12:10:46 smtp1 sendmail[19889]: h24HAgAi019889: Milter: no active filter
Mar 4 12:10:48 smtp1 sendmail[19889]: h24HAgAi019889:
from=<nobodycgi10.interq.net>, size=2263, class=0, nrcpts=1,
msgid=<200303041655.BAA17056cgi10.interq.net>, proto=ESMTP, daemon=MTA,
relay=cgi10.interq.net [210.157.1.15]
Mar 4 12:10:48 smtp1 sendmail[19914]: h24HAgAi019889: SMTP outgoing
connect on smtp1.sentex.ca
Mar 4 12:10:55 smtp1 sendmail[19914]: h24HAgAi019889: Dropped invalid
comments from header address
Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889:
to=<slijboomsentex.net>, delay=00:00:10, xdelay=00:00:09, mailer=esmtp,
pri=30728, relay=spamscanner.sentex.ca. [64.7.128.108], dsn=2.0.0,
stat=Sent (h24HAjcM032479 Message accepted for delivery)
Mar 4 12:10:57 smtp1 sendmail[19914]: h24HAgAi019889: done;
delay=00:00:10, ntries=1
smtp1#
Is there a more definitive way to see if someone is actively trying to
exploit the issue?
---Mike
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]