Professional Web Applications Themes

SENDMAIL POSSIBLE ATTACK MESSAGE IN SYSLOG - SCO

Anyone know why I see these in syslog on my OSR 5.0.6 system. (Sendmail 8.11). Thanks wj Feb 17 12:38:17 pop sendmail[26413]: h1HHcHZ26413: POSSIBLE ATTACK from [66.200.129.94]: newline in string "QW153^M " May 12 20:41:13 pop sendmail[7999]: h4D0fCd07999: POSSIBLE ATTACK from ANeuilly-105-2-1-149.w80-11.abo.wanadoo.fr: newline in string "SnakeG^M " Sep 11 19:52:07 pop sendmail[10092]: h8BNq7o10092: POSSIBLE ATTACK from [213.132.46.106]: newline in string "xdcc24^M " Nov 6 20:22:54 pop sendmail[4198]: hA71MsR04198: POSSIBLE ATTACK from [213.42.17.244]: newline in string "yalxgtqqoc^M "...

  1. #1

    Default SENDMAIL POSSIBLE ATTACK MESSAGE IN SYSLOG

    Anyone know why I see these in syslog on my OSR 5.0.6 system. (Sendmail
    8.11). Thanks wj

    Feb 17 12:38:17 pop sendmail[26413]: h1HHcHZ26413: POSSIBLE ATTACK from
    [66.200.129.94]: newline in string "QW153^M "
    May 12 20:41:13 pop sendmail[7999]: h4D0fCd07999: POSSIBLE ATTACK from
    ANeuilly-105-2-1-149.w80-11.abo.wanadoo.fr: newline in string "SnakeG^M "
    Sep 11 19:52:07 pop sendmail[10092]: h8BNq7o10092: POSSIBLE ATTACK from
    [213.132.46.106]: newline in string "xdcc24^M "
    Nov 6 20:22:54 pop sendmail[4198]: hA71MsR04198: POSSIBLE ATTACK from
    [213.42.17.244]: newline in string "yalxgtqqoc^M "


    willjay Guest

  2. #2

    Default Re: SENDMAIL POSSIBLE ATTACK MESSAGE IN SYSLOG

    In article <HnPqb.47139$bellsouth.net>,
    willjay <com> wrote: 
     

    Bad guys trying bad things. I see 176 of those in the last 12
    hours since my logs roll at 1AM. I even see about 25 from the
    wanadoo site. THe 'newline in string' is because unless you
    change the behavior the headers can not have a new line in them.

    There are now checks on headers to prevent outside attacks.

    Be glad the messages don't go any further but stop at the entry.


    --
    Bill Vermillion - bv wjv . com
    Bill Guest

  3. #3

    Default Re: SENDMAIL POSSIBLE ATTACK MESSAGE IN SYSLOG

    Bill Vermillion typed (on Fri, Nov 07, 2003 at 07:15:00PM +0000):
    | In article <HnPqb.47139$bellsouth.net>,
    | willjay <com> wrote:
    | >Anyone know why I see these in syslog on my OSR 5.0.6 system. (Sendmail
    | >8.11). Thanks wj
    |
    | >Feb 17 12:38:17 pop sendmail[26413]: h1HHcHZ26413: POSSIBLE ATTACK from
    | >[66.200.129.94]: newline in string "QW153^M "
    | >May 12 20:41:13 pop sendmail[7999]: h4D0fCd07999: POSSIBLE ATTACK from
    | >ANeuilly-105-2-1-149.w80-11.abo.wanadoo.fr: newline in string "SnakeG^M "
    | >Sep 11 19:52:07 pop sendmail[10092]: h8BNq7o10092: POSSIBLE ATTACK from
    | >[213.132.46.106]: newline in string "xdcc24^M "
    | >Nov 6 20:22:54 pop sendmail[4198]: hA71MsR04198: POSSIBLE ATTACK from
    | >[213.42.17.244]: newline in string "yalxgtqqoc^M "
    |
    | Bad guys trying bad things. I see 176 of those in the last 12
    | hours since my logs roll at 1AM. I even see about 25 from the
    | wanadoo site. THe 'newline in string' is because unless you
    | change the behavior the headers can not have a new line in them.
    |
    | There are now checks on headers to prevent outside attacks.
    |
    | Be glad the messages don't go any further but stop at the entry.
    |

    Prevent access to your pop daemon from any but your known IP clients.
    Ipmon can do this, or your router, or tcp-wrappers.

    --
    JP
    Jean-Pierre Guest

  4. #4

    Default Re: SENDMAIL POSSIBLE ATTACK MESSAGE IN SYSLOG

    In article <jpr.com>,
    Jean-Pierre Radley <com> wrote: 
     
     
     
     
     

    I must be going blind. I concentrated so much on the
    POSSIBLE ATTACK that I completely ovelooked the 'pop' part.
    All mine come from 'mail'.

    Still bad guys - and everyone has the 'newline in a string'.

    I'm up to 279 so far. But that's to be expected on this machine.
    Things are getting better - I've only junked about 25% of the
    incoming mail today. Two weeks ago it was over 50%



    --
    Bill Vermillion - bv wjv . com
    Bill Guest

  5. #5

    Default Re: SENDMAIL POSSIBLE ATTACK MESSAGE IN SYSLOG


    "Bill Vermillion" <comREMOVE> wrote in message
    news:com... [/ref]
    (Sendmail 
    > [/ref]
    from [/ref]
    "SnakeG^M " [/ref]
    from 




    >
    > I must be going blind. I concentrated so much on the
    > POSSIBLE ATTACK that I completely ovelooked the 'pop' part.
    > All mine come from 'mail'.
    >
    > Still bad guys - and everyone has the 'newline in a string'.
    >
    > I'm up to 279 so far. But that's to be expected on this machine.
    > Things are getting better - I've only junked about 25% of the
    > incoming mail today. Two weeks ago it was over 50%
    >
    >
    >
    > --
    > Bill Vermillion - bv wjv . com[/ref]

    pop is the name of our server as in pop.myserver.com, yours must be
    mail.yourserver.com com? wj


    willjay Guest

Similar Threads

  1. Syslog replay script for centralized syslog data
    By leroy in forum Linux / Unix Administration
    Replies: 2
    Last Post: October 29th, 07:52 AM
  2. Replies: 3
    Last Post: July 23rd, 03:47 PM
  3. Replies: 15
    Last Post: July 20th, 11:58 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139