Re: SMTP server (How can I find out the real source of an attack)

From: Valdis.Kletnieksat_private
Date: Thu Jul 12 2001 - 18:59:32 PDT

  • Next message: Vitaly Osipov: "Re: Unicode Logs with Ping Activity"

    On Thu, 12 Jul 2001 15:53:36 PDT, MrG <p2mask2_xtiat_private>  said:
    > 1.I have a SMTP server (behind my FW) who constantly
    > (>7 times per second) is trying to establish a TCP=25
    
    > I know that my SMTP server  has been compromise but
    
    How do you *know* it's been compromised?
    
    I've seen multiple systems that don't understand the meaning of "required
    delay before retry" as per RFC1123 - systems that in their normally broken
    state will retry over and over and over.  I can sympathize with your
    7x/sec - I once got hit by something that retried 10x/sec for about 2 days
    before I finally found the owner and chastised them....
    
    -- 
    				Valdis Kletnieks
    				Operating Systems Analyst
    				Virginia Tech
    
    
    
    



    This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 15:48:15 PDT