Greetings, i just wondered if anyone can help me out with a possible incident / DOS. for the past 10 hours or so i have been getting sendmail log entries like. .... Mar 27 06:30:19 hostname sendmail[690]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:31:29 hostname sendmail[752]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:32:39 hostname sendmail[792]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:33:49 hostname sendmail[834]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Mar 27 06:34:59 hostname sendmail[896]: NOQUEUE: host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA .... continuous ...... they are happening every 1 min and 10 seconds roughly and as i said been going on for about 10-12 hours. all from the same host... Ive sniffed the traffic and captured the whole session. its quite short and i have recreated it from another machine below .... -- Start Session -- Connected to *.*.*.*. Escape character is '^]'. 220 hostname.net ESMTP Sendmail 8.10.2/8.10.2; Wed, 27 Mar 2002 09:02:13 GMT EHLO michael 250-hostname.net Hello **.*****.com [*.*.*.*], pleased to meet you 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SIZE 2097152 250-DSN 250-ONEX 250-ETRN 250-XUSR 250-AUTH PLAIN 250 HELP 500 5.5.1 Command unrecognized: "" AUTH PLAIN 334 = AHZpYXVrAA== 500 5.7.0 authentication failed QUIT 221 2.0.0 hostname.net closing connection -- End Session -- I dont understand what this persons trying to do as its using the same password each time and using this same michael hostname. so it appears not to be a Bruteforce. Is this just a small pointless automated DOS or coudl it be something more worrying ? could anyone shed any light on this or offer any advice. I know i coudl just add to hosts.deny but im just trying to figure out why its going on and prevent it happening again. any suggestions / linkage would be great. many thanks. fragga ps i made a post on here before but it got returned ... dunno why :( ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 08:50:37 PST