I had an odd event the other night, which I would have been predisposed to ignore, except now I've seen it show up in a couple of other places. It seems to start out as an attempt to overflow the message queue for sendmail, and may go on to do other things if successful. My sendmail (correctly) rejected the nonsense, but I've since heard from someone whose machine had 400 sendmail processes (his words), from just three connection attempts. The log file in each case is: "NOQUEUE: SYSERR: putoutmsg ([x.x.x.x]): error on output channel sending "550 Access denied": Broken pipe" I should also mention that the machine with the runaway processes was a Solaris 8 x86 box, not too recently patched, and with a user built sendmail (not stock Solaris), and those things may have had some effect in allowing problems. I saved a full session of one of the attempts on my local machine (seven packets worth) from ethereal. There was also an initial attempt to validate as user "tcpwrappers" which I found a bit odd. Those are the only things beyond log entries, and of course the packets are incomplete (since the attempts were blocked). The odd and unique thing is that the initial payload was: > GET http://www.yahoo.com/ HTTP/1.1 > Host: www.yahoo.com > Accept: */* > Pragma: no-cache > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98) Well, now, I say to myself. That's odd. Kind of strange stuff to send through smtp, I'd say. I'd be interested in any ideas. -- ...some sort of steganographic chaffing and winnowing scheme already exists in practice right here: I frequently find myself having to sort through large numbers of idiotic posts to find the good ones. -- Mr. Rufus Faloofus ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 12:50:31 PDT