This is from the NetSaint (a host monitoring tool) mailing list today: "Has anyone found a good way to eleminate the "NOQUEUE" messages which check_smtp produces in sendmail's logs? I took a look at the options for check_smtp and there was nothing there which would allow me to send something to the machine to make it into a non-null connect. Ideas?" Looks like Michael does have a host monitor (NetSaint Specifically) pointed at you -Steve -- > >Seems like maybe Michael set up a host monitor and put in the wrong IP? >WhatsUP doesn't issue a "quit" AFAIK but will do all the rest of that >communication. Maybe polling is set for 70 seconds. There are >other host monitors out >there and it may be one of those or home grown. >Try web to port 80 or 8080 of the sending IP and see if you >get anything? >or... nmap the sending host and try a http connection to the >open ports. > >I would think it is a simple typo. It may be hard to track >Michael down since it >may be a user account on bt.com > >...ken > >Wednesday, March 27, 2002, 5:30:37 AM (GMT-5), you wrote: >> Greetings, > >> i just wondered if anyone can help me out with a possible >incident / DOS. >> for the past 10 hours or so i have been getting sendmail log >entries like. >> .... >> Mar 27 06:30:19 hostname sendmail[690]: NOQUEUE: >> host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue >> MAIL/EXPN/VRFY/ETRN during connection to MTA >> Mar 27 06:31:29 hostname sendmail[752]: NOQUEUE: >> host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue >> MAIL/EXPN/VRFY/ETRN during connection to MTA >> Mar 27 06:32:39 hostname sendmail[792]: NOQUEUE: >> host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue >> MAIL/EXPN/VRFY/ETRN during connection to MTA >> Mar 27 06:33:49 hostname sendmail[834]: NOQUEUE: >> host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue >> MAIL/EXPN/VRFY/ETRN during connection to MTA >> Mar 27 06:34:59 hostname sendmail[896]: NOQUEUE: >> host*-*-*-*.in-addr.btopenworld.com [*.*.*.*] did not issue >> MAIL/EXPN/VRFY/ETRN during connection to MTA >> .... continuous ...... > >> they are happening every 1 min and 10 seconds roughly and as >i said been >> going on for about 10-12 hours. all from the same host... >> Ive sniffed the traffic and captured the whole session. its >quite short and >> i have recreated it from another machine below .... > >> -- Start Session -- >> Connected to *.*.*.*. >> Escape character is '^]'. >> 220 hostname.net ESMTP Sendmail 8.10.2/8.10.2; Wed, 27 Mar >2002 09:02:13 GMT >> EHLO michael >> 250-hostname.net Hello **.*****.com [*.*.*.*], pleased to meet you >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250-SIZE 2097152 >> 250-DSN >> 250-ONEX >> 250-ETRN >> 250-XUSR >> 250-AUTH PLAIN >> 250 HELP > >> 500 5.5.1 Command unrecognized: "" >> AUTH PLAIN >> 334 = >> AHZpYXVrAA== >> 500 5.7.0 authentication failed >> QUIT >> 221 2.0.0 hostname.net closing connection >> -- End Session -- > >> I dont understand what this persons trying to do as its >using the same >> password each time and using >> this same michael hostname. so it appears not to be a Bruteforce. > >> Is this just a small pointless automated DOS or coudl it be >something more >> worrying ? could anyone shed >> any light on this or offer any advice. I know i coudl just >add to hosts.deny >> but im just trying to >> figure out why its going on and prevent it happening again. >any suggestions >> / linkage would be great. > >> many thanks. > >> fragga > >> ps i made a post on here before but it got returned ... dunno why :( > > >--------------------------------------------------------------- >------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 13:17:45 PST