Hi Parker, > Nov �5 23:02:38 bluebird sendmail[16695]: hA642aR16695: POSSIBLE ATTACK > from ANantes-106-1-18-206.w81-49.abo.wanadoo.fr: newline in string > "geqigpuayu^M " > > ...but of course, the IP/hostname changes nearly every time. There's no > consistent pattern. > > I'd say these have gone from one per week to fifteen or twenty per day > over the course of the last week. Is anyone else seeing this?
No, I haven't seen these in quite a while. As far as I know it targets a pretty old vulnerability - not even one of the recently detected three ones. I think this one was discovered back in 1995 and since then this logging mechanism is part of Sendmail. The logging in specific is generated by sendmail/util.c and is part of the stock Sendmail-8.10.2 code. The input parser of Sendmail checks if there are newline characters in places where there should be none. If a string too long is received, then it is shortened. If a newline is added where there should be none, then the input is truncated, too and the above warning appears in the maillog. If you don't have french customers, then you might possibly consider blocking wanadoo.fr in general - although that's a bit drastic. But as far as I can tell the Sendmail you have should reasonably protect you against this exploit. OTOH in regards to attacks: In the last couple of days I've heard from multiple people (and had to endure these scans myself) that there are currently tons of automated scans against FTP - with the username admin. These scans seem to be automated and appear to go to multipe IP-addresses in the same subnet at the same time. So a quick reminder to all with easy to guess or dictionary based admin passwords: Change your admin password to something at least 8 characters long, mix upper case and lower case and throw in some letters and special characters. -- With best regards, Michael Stauber _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
