jOn Tue, Oct 15, 2002 at 02:11:51PM +0200, Kjetil Kjernsmo wrote: > On Tuesday 15 October 2002 13:59, Javier Fernández-Sanguino Peña wrote: > > Try to reproduce this behavior. You can launch the attacks > > manually using 'nasl name-of-the-script' and trace the mail server to > > see if it really breaks. If it does: report upstream, if it doesn't > > then it's a bug in the plugin: report to the nessus development team. > > Uh-oh, slowly now, I'm a complete newbie in these things... :-) > How do I see if it breaks? Ok. If you trace the mail daemon with: $ strace -f -p process_id_mail (process_id_mail is retrieved using 'ps -ef |grep name_of_mail_server') You will be able to see what's happening. If it dumps core (overflow) you will see it in the strace output (how does the children exit?). You can also probably test it through: $ perl -e 'print "EHLO"; print "a" x 500;' | nc localhost 25 (nc is 'netcat') Regarding the other vulnerability, you should see if the system is running out of file descriptors. See if, during the attack, 'netstat -an' returns a huge number of open connections to port 25. All systems are vulnerable to file descriptor exhaustion unless you configure limits. You might want to take a look at Bastille-linux (there is a Debian package for it) on how to configure some of this stuff automatically. You should also read the "Debian Securing Manual" for more in-depth information. Regards Javi
Attachment:
pgp6bhnl0ePv9.pgp
Description: PGP signature