Re: Attempt on smtpd / faking remote ip
Hi!
It looks like your friend is trying to inject pakets into your smtp with
faked (spoofed) ips. In this particular case he sends as "localhost".
I guess he does seqeunce-number guessing, so he assumes there is a
running connection and if he hits the sequence, he may do nasty things
with your postfix. Furthermore I guess it's not a spammer, this would be
too inefficient. It's more likely that he tries to overflow postfix
(unprobable) or procmail (suid root? postfix in chroot?) or your
viruskiller or or or .....
Another possibility is that you have an http-server with a "formmail" in
this boxen. Mail via this from come from localhost. It's an usual manner
from spammers to exploit self-written mailforms by putting new header
lines (To and CC) into to subject line of the form. (I had a case where
they even put multipart-mime into the body ..woah..) You would see that
in the http log (check!)
But in your case it really looks like someone trying to bind a shell via
smtp and then connecting immediately to it. How can we be sure that the
reporting "ssh" in your logfile is _your_ ssh and not a freshly bound?
(I don't know, anyone ideas?)
I don't want to spread fear, so
1.) Boot superrescue, knoppix or so
2.) Run chkrootkit (deb package is mostly a little old)
3.) If you run chkrotokit on Debian, chkrootkit reports one false
positive! (AFAIR it was lkm rootkit, debian reports some ps processes
to much, bug/incompatibility in ps command)
Rgds,
j.
--
Andreas John
net-lab GmbH
Luisenstrasse 30b
63067 Offenbach
Tel: +49 69 85700331
http://www.net-lab.net
Andreas Vent-Schmidt wrote:
Hi folks,
today I got some strange messages in the log files. It's a quite usual
woody box (apache, some (about 15) POP accounts, no smtp relaying, no
ftp accounts, nothing exciting) with postfix install from .deb-package.
###################### snip #####################
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after
CONNECT from localhost[127.0.0.1]
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after
CONNECT from localhost[127.0.0.1]
Apr 4 07:11:15 [myhostname] sshd[11733]: Did not receive identification
string from 213.39.138.95
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after
CONNECT from localhost[127.0.0.1]
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after
CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after
CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
Apr 4 07:11:21 [myhostname] sshd[11735]: Did not receive identification
string from 213.39.138.95
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after
CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
###################### snip #####################
(The "[myhostname]" entries are replacements made by me here for privacy
reasons. There originally was the real hostname.)
Who the hell may connect from localhost and lose connection but a local
user?
But, there is no (shouldn't be) any local user.
Is it possible to fake smtpd about the client's ip? I think, the guy
from 213.39.138.95 is the same as the one in the first few lines, and
he/she isn't real from localhost (I hope so), but fakes smtpd to think
so. Am I right?
Or do I have to worry about some rootkit or anything similar?
Thanks in advance!
Andreas
Reply to: