Re: Attempt on smtpd / faking remote ip

[Andreas John <aj@net-lab.net>]

Hi!

It looks like your friend is trying to inject pakets into your smtp with 
 faked (spoofed) ips. In this particular case he sends as "localhost". 
I guess he does seqeunce-number guessing, so he assumes there is a 
running connection and if he hits the sequence, he may do nasty things 
with your postfix. Furthermore I guess it's not a spammer, this would be 
too inefficient. It's more likely that he tries to overflow postfix 
(unprobable) or procmail (suid root? postfix in chroot?) or your 
viruskiller or or or .....
Another possibility is that you have an http-server with a "formmail" in 
this boxen. Mail via this from come from localhost. It's an usual manner 
from spammers to exploit self-written mailforms by putting new header 
lines (To and CC) into to subject line of the form. (I had a case where 
they even put multipart-mime into the body ..woah..) You would see that 
in the http log (check!)

But in your case it really looks like someone trying to bind a shell via 
smtp and then connecting  immediately to it. How can we be sure that the 
reporting "ssh" in your logfile is _your_ ssh and not a freshly bound?
(I don't know, anyone ideas?)

I don't want to spread fear, so
1.) Boot superrescue, knoppix or so
2.) Run chkrootkit (deb package is mostly a little old)
3.) If you run chkrotokit on Debian, chkrootkit reports one false 
positive!  (AFAIR it was lkm rootkit, debian reports some ps processes 
to much, bug/incompatibility in ps command)

Rgds,
j.


--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331

http://www.net-lab.net



Andreas Vent-Schmidt wrote:
> Hi folks,
>
> today I got some strange messages in the log files. It's a quite usual 
> woody box (apache, some (about 15) POP accounts, no smtp relaying, no 
> ftp accounts, nothing exciting) with postfix install from .deb-package.
>
> ###################### snip #####################
> Apr  4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after 
> CONNECT from localhost[127.0.0.1]
> Apr  4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after 
> CONNECT from localhost[127.0.0.1]
> Apr  4 07:11:15 [myhostname] sshd[11733]: Did not receive identification 
> string from 213.39.138.95
> Apr  4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after 
> CONNECT from localhost[127.0.0.1]
> Apr  4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after 
> CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
> Apr  4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after 
> CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
> Apr  4 07:11:21 [myhostname] sshd[11735]: Did not receive identification 
> string from 213.39.138.95
> Apr  4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after 
> CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
> ###################### snip #####################
>
> (The "[myhostname]" entries are replacements made by me here for privacy 
> reasons. There originally was the real hostname.)
>
> Who the hell may connect from localhost and lose connection but a local 
> user?
> But, there is no (shouldn't be) any local user.
>
> Is it possible to fake smtpd about the client's ip? I think, the guy 
> from 213.39.138.95 is the same as the one in the first few lines, and 
> he/she isn't real from localhost (I hope so), but fakes smtpd to think 
> so. Am I right?
>
> Or do I have to worry about some rootkit or anything similar?
>
> Thanks in advance!
>
> Andreas