|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Snort SMTP expn-root
From: dyer (phil.dyer
MINDSPRING.COM)Date: Thu Jul 06 2000 - 21:26:24 CDT
- Next message: Harlan S. Barney, Jr.: "Simultaneous Attacks"
- Previous message: Rob Wilson: "Re: Snort SMTP expn-root"
- In reply to: Oxenreider, Jeff: "Snort SMTP expn-root"
- Next in thread: Joe McAlerney: "Re: Snort SMTP expn-root"
- Reply: dyer: "Re: Snort SMTP expn-root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
"Oxenreider, Jeff" wrote:
> Last night at around 7pm EST I got these two log entries from my IDS server.
>
> Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
> -> XXX.XXX.XXX.10:25
> Jul 5 19:06:33 IDS snort[340]: IDS31/SMTP-expn-root: 207.126.127.68:53244
> -> XXX.XXX.XXX.10:25
>
> Weird thing is that originating IP address is "lists.securityfocus.com".
> I've been on these lists for over a month and this is the first time I've
> ever seen this message come up in my IDS.
>
> Anyone know why this may occur that I'm missing?
>
Yup. I got that too. A message was posted to the list containing some logs. In
the logs were the words 'expn root' (guess you'll get it again now ; ) Coming
in on port 25 and contains the keyword... must be something. Whoops.
See the thread "scan log and subsequent response from the host's ISP". Also
take a look in the directory named as the IP address of the 'attacker' under
your log directory. You can view the decoded packet and see the mail message.
Not to worry.... This time.
dyer
- Next message: Harlan S. Barney, Jr.: "Simultaneous Attacks"
- Previous message: Rob Wilson: "Re: Snort SMTP expn-root"
- In reply to: Oxenreider, Jeff: "Snort SMTP expn-root"
- Next in thread: Joe McAlerney: "Re: Snort SMTP expn-root"
- Reply: dyer: "Re: Snort SMTP expn-root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]