I had an odd event the other night, which I would have been predisposed to
ignore, except now I've seen it show up in a couple of other places. It
seems to start out as an attempt to overflow the message queue for
sendmail, and may go on to do other things if successful.

My sendmail (correctly) rejected the nonsense, but I've since heard from
someone whose machine had 400 sendmail processes (his words), from just
three connection attempts. The log file in each case is:

"NOQUEUE: SYSERR: putoutmsg ([x.x.x.x]): error on output channel sending
"550 Access denied": Broken pipe"

I should also mention that the machine with the runaway processes was a
Solaris 8 x86 box, not too recently patched, and with a user built sendmail
(not stock Solaris), and those things may have had some effect in allowing
problems.

I saved a full session of one of the attempts on my local machine (seven
packets worth) from ethereal. There was also an initial attempt to validate
as user "tcpwrappers" which I found a bit odd. Those are the only things
beyond log entries, and of course the packets are incomplete (since the
attempts were blocked). The odd and unique thing is that the initial
payload was:

> GET http://www.yahoo.com/ HTTP/1.1
> Host: www.yahoo.com
> Accept: */*
> Pragma: no-cache
> User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)

Well, now, I say to myself. That's odd. Kind of strange stuff to send
through smtp, I'd say. I'd be interested in any ideas.

--
...some sort of steganographic chaffing and winnowing scheme
already exists in practice right here: I frequently find myself
having to sort through large numbers of idiotic posts to find
the good ones.   -- Mr. Rufus Faloofus
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]