I''m noticing that the port du jour is TCP 25 -- anyone heard what exploit=20 these kiddies are looking for? -Tom --=20 Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
seen nothing on bugtraq/vulnwatch/vulnedv/incidents... ----- Original Message ----- From: Tom Eastep <teastep@ursa.shorewall.net> To: Users <shorewall-users@shorewall.net> Sent: Thursday, August 22, 2002 4:40 AM Subject: [Shorewall-users] SMTP Exploits?> I''m noticing that the port du jour is TCP 25 -- anyone heard what exploit > these kiddies are looking for? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Probably spammers /m Tom Eastep wrote:> > I''m noticing that the port du jour is TCP 25 -- anyone heard what exploit > these kiddies are looking for? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > AIM: tmeastep \ http://www.shorewall.net > ICQ: #60745924 \ teastep@shorewall.net > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users
On Thursday 22 August 2002 06:47 am, Magnus Stenman wrote:> Probably spammers >I think this is something different. From "shorwall hits" HITS PORT SERVICE(S) ---- ----- ---------- 844 25 smtp 75 80 http 33 21 ftp 19 1080 socks 16 111 sunrpc 13 500 isakmp 13 137 netbios-ns 9 8080 webcache 8 445 microsoft-ds 8 3128 squid 8 22 ssh 6 81 6 139 netbios-ssn 4 50388 3 53 domain 2 54086 2 43053 2 32768 1 1551 I don''t log MS Sql Server hits. =46rom my mail server log summary: Relay access denied 2 222.333.444.555 1 666.777.888.999 So I got 844 connection attempts against the 4 IP addresses that don''t have=20 SMTP servers yet I get only three relay attempts and no decernable increase=20 in the amount of SPAM on the one address that does run an SMTP server. Steve Cowles has suggested that they may be looking to expoit the buffer=20 overrun in the DNS resolver library that is described in CERT advisory=20 CA-2002-19. -Tom --=20 Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Thursday 22 August 2002 08:10 am, Tom Eastep wrote:> On Thursday 22 August 2002 06:47 am, Magnus Stenman wrote: > > Probably spammers > > I think this is something different. From "shorwall hits" > > > HITS PORT SERVICE(S) > ---- ----- ---------- > 844 25 smtpDuh!!! I have been attempting to emerge from the Dark Ages WRT my mailer (Pine) so I''ve been using Kmail for several days. I had (mis-)configured it to use teastep@ursa.shorewall.net as my email address. That''s been fixed for a couple of days but there are a lot of replies to posts that I sent with the wrong address still floating around. I''ve reconfigured Shorewall to redirect to my SMTP server and I''ve reconfigured postfix to pass these posts on to me. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Saturday 24 August 2002 05:21 am, Kenneth Jacker wrote:> At some time I need to write to you > and/or the list re your suggestion to add ''dhcp'' to the "interface" > line to avoid all the DHCP logging. It didn''t work! More later ...Crap -- you''re right!!! I''ll fix ASAP.... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net