Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help!!! Urgent!!! Someone is attacking our server.

0 views
Skip to first unread message

Chicky

unread,
Feb 26, 2003, 5:09:44 AM2/26/03
to
From the maillog, I have a lot of user known message. The domain is changed
to xxx.com for security reason. I think someone is using program to check
the user of my domain. However, there is no IP listed in the log file. So
What could I do to prevent this? Thanks.

Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:46 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:46 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:46 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown
Feb 26 08:35:46 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
unknown
Feb 26 08:35:46 ns1 sendmail[18656]: h1Q0Z5A18656: <a...@xxx.com>... User
unknown
Feb 26 08:35:46 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
unknown


john smith

unread,
Feb 26, 2003, 9:25:11 AM2/26/03
to
Increase your log file details maybe that will help with the "no IP" issue

--


Rob

"Chicky" <chi...@chick.com> wrote in message
news:b3i3p9$fq...@imsp212.netvigator.com...

terry

unread,
Feb 26, 2003, 11:31:48 AM2/26/03
to
"Chicky" <chi...@chick.com> wrote in message news:<b3i3p9$fq...@imsp212.netvigator.com>...
> From the maillog, I have a lot of user known message. The domain is changed
> to xxx.com for security reason. I think someone is using program to check
> the user of my domain. However, there is no IP listed in the log file. So
> What could I do to prevent this? Thanks.
>
> Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
> unknown

were there any other lines associated with the sendmail log entries
you all ready have posted?

depends on which version of sendmail you are running.

define(`confPRIVACY_FLAGS',`goaway,restrictqrun,restrictmailq')dnl

would disable the expn and vrfy features.

depends on what operating system you are running.
if you are running linux run a tcpdump capturing to a file.
use either tcpdump or ethereal to view the captured file.
you will be able to determine the ip address that is doing this.
once you know the ip address block it at the router or with iptables
on the linux box.

basically, you need to know the ip address of the box which is
hammering on your server. once you know that you can block it with
iptables or with the access.db of sendmail.

terry l. ridder ><>

John Oliver

unread,
Feb 26, 2003, 12:45:00 PM2/26/03
to
On Wed, 26 Feb 2003 18:09:44 +0800, Chicky wrote:
> From the maillog, I have a lot of user known message. The domain is changed
> to xxx.com for security reason. I think someone is using program to check
> the user of my domain. However, there is no IP listed in the log file. So
> What could I do to prevent this? Thanks.

This is what's called a "dictionary attack".

I'm puzzled about the lack of an IP address in the logs, though. AFAIK,
that means A) this is actually a local user; B) there's something
hideously wrong with sendmail, syslog, or the TCP/IP stack; or C) you've
been rooted. IIWY, I would check everything... are you running a
current, properly patched/configed OS? Is sendmail recent? Etc...

--
John Oliver, CCNA http://www.john-oliver.net/
Linux/UNIX/network consulting http://www.john-oliver.net/resume/
*** sendmail, Apache, ftp, DNS, spam filtering ***
**** Colocation, T1s, web/email/ftp hosting ****

Per Hedeland

unread,
Feb 26, 2003, 3:25:10 PM2/26/03
to
In article <b3i3p9$fq...@imsp212.netvigator.com> "Chicky"

<chi...@chick.com> writes:
>From the maillog, I have a lot of user known message. The domain is changed
>to xxx.com for security reason. I think someone is using program to check
>the user of my domain. However, there is no IP listed in the log file. So
>What could I do to prevent this? Thanks.

The IP address is surely there, but not logged once for every 'RCPT To:'
in the same SMTP session, for more or less obvious reasons.

>Feb 26 08:35:45 ns1 sendmail[18655]: h1Q0Z4A18655: <a...@xxx.com>... User
>unknown

'grep h1Q0Z4A18655 /var/log/maillog' to find *all* the entries for this
session - one of them will have from=<the sender address given on 'MAIL
From:> and relay=<possibly host name, always IP address of SMTP client>.
It will generally be logged *after* the "User unknown"s though, when the
SMTP transaction is completed (or aborted/abandoned) - so you can't find
it in the log while the "attack" is in progress.

>Feb 26 08:35:45 ns1 sendmail[18652]: h1Q0Z4A18652: <a...@xxx.com>... User
>unknown

And grep h1Q0Z4A18652 for this one, etc (there are actually multiple
sessions going on in parallell in this case).

--Per Hedeland
p...@hedeland.org

Chicky

unread,
Feb 27, 2003, 8:43:26 PM2/27/03
to
Thanks all for your help. I could find the IP address. What could I do to
reduce the risk of this type of dictionary attack? Thanks.


Thomas Schulz

unread,
Feb 28, 2003, 9:51:29 AM2/28/03
to
In article <b3meru$q...@imsp212.netvigator.com>,

Chicky <chi...@chick.com> wrote:
>Thanks all for your help. I could find the IP address. What could I do to
>reduce the risk of this type of dictionary attack? Thanks.

You can`t stop them, but you can slow them down and tie up their resources.
Look for confBAD_RCPT_THROTTLE in cf/README. This assumes that you have
the Sendmail source distribution or that your vender supplies the m4
sources.

I have
define(`confBAD_RCPT_THROTTLE', `5')dnl
in my domain file. I am thinking about dropping the 5 down to 3.
--
Tom Schulz
sch...@adi.com

0 new messages