Re: [newbie] PLEASE! What do these log entries mean?!?
On Wed, 22 Sep 1999, you wrote: I have found that people unknown are attacking my linux box! The following entries were found in maillog: Sep 15 07:09:07 C287853-A sendmail[1979]: NOQUEUE: [157.89.64.77]: VRFY guest Sep 15 07:09:07 C287853-A sendmail[1980]: NOQUEUE: [157.89.64.77]: VRFY decode Sep 15 07:09:07 C287853-A sendmail[1981]: NOQUEUE: [157.89.64.77]: VRFY bbs Sep 15 07:09:07 C287853-A sendmail[1982]: NOQUEUE: [157.89.64.77]: VRFY lp Sep 15 07:09:07 C287853-A sendmail[1983]: NOQUEUE: [157.89.64.77]: VRFY uudecode Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "wiz" command from [157.89.64.77] (157.89.64.77) Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "debug" command from [157.89.64.77] (157.89.64.77) (WHAT THE HELL IS THE "WIZ" COMMAND. AND THE "DEBUG" COMMAND!! Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! This looks to me like someone has connected to port 25 (sendmail port) with telnet and is issuing commands, which should do no harm judging by the commands he tryed. do nslookup IP# to see what his domain is. Thanks. -- Regards Richard [EMAIL PROTECTED]
RE: Re: [newbie] PLEASE! What do these log entries mean?!?
BDY.RTF WINMAIL.DAT
RE: RE: [newbie] PLEASE! What do these log entries mean?!?
BDY.RTF WINMAIL.DAT
Re: [newbie] PLEASE! What do these log entries mean?!?
On Wed, 22 Sep 1999, you wrote: how do you find this info? is there a command (or service) that will give you this info about an ip? From a console prompt (as I said in another message on the list G) type "whois ipaddress@whois.arin.net" if it's not a US/North American IP address, it'll should say which country it's from, and based on that you can re-try your whois query with whois.apnic.net for Asia-Pacific IP addresses and whois.ripe.net for Atlantic/European addresses. John
Re: [newbie] PLEASE! What do these log entries mean?!?
Please only start one thread on a subject. Did you see what Steve Philip wrote? He said turn off Sendmail for a starter. Please listen and don't panic. If you don't know how to shut off sendmail, from command line type "setup" and choose "system services" from the menu. Then uncheck the sendmail daemon in the list of service launched at startup. You may need to restart or kill the sendmail daemon next. I believe you can "psaux" from command line to show all processes running and look for the ID number of the sendmail daemon. Then issue the "kill -sendmail ID#" and I think this will do it. Brian P.S. I'm new too, but I read a lot before I started surfing as root and allowed someone to "get root" Good Luck -Original Message- From: Eric L. Damron I have found that people unknown are attacking my linux box! The following entries were found in maillog: snip horrible whining sound Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! Thanks.
Re: [newbie] PLEASE! What do these log entries mean?!?
On Wed, 22 Sep 1999, Eric L. Damron wrote: I have found that people unknown are attacking my linux box! The following entries were found in maillog: Sep 15 07:09:07 C287853-A sendmail[1979]: NOQUEUE: [157.89.64.77]: VRFY guest Sep 15 07:09:07 C287853-A sendmail[1980]: NOQUEUE: [157.89.64.77]: VRFY decode Sep 15 07:09:07 C287853-A sendmail[1981]: NOQUEUE: [157.89.64.77]: VRFY bbs Sep 15 07:09:07 C287853-A sendmail[1982]: NOQUEUE: [157.89.64.77]: VRFY lp Sep 15 07:09:07 C287853-A sendmail[1983]: NOQUEUE: [157.89.64.77]: VRFY uudecode Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "wiz" command from [157.89.64.77] (157.89.64.77) Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "debug" command from [157.89.64.77] (157.89.64.77) (WHAT THE HELL IS THE "WIZ" COMMAND. AND THE "DEBUG" COMMAND!! Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! Thanks. ipchains -I input -s 157.89.64.77/0 -d 0/0 -j REJECT -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon
Re: [newbie] PLEASE! What do these log entries mean?!?
Ripcrd6, Although my last post concerns the same problem it also contains new information. I want to know what this guy did on my server. Turning off sendmail forever isn't an option. And I have never "serfed as root." So please, If you have nothing positive to add then don't respond. Thank you -Original Message- From: Ripcrd6 [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, September 22, 1999 1:11 PM Subject: Re: [newbie] PLEASE! What do these log entries mean?!? Please only start one thread on a subject. Did you see what Steve Philip wrote? He said turn off Sendmail for a starter. Please listen and don't panic. If you don't know how to shut off sendmail, from command line type "setup" and choose "system services" from the menu. Then uncheck the sendmail daemon in the list of service launched at startup. You may need to restart or kill the sendmail daemon next. I believe you can "psaux" from command line to show all processes running and look for the ID number of the sendmail daemon. Then issue the "kill -sendmail ID#" and I think this will do it. Brian P.S. I'm new too, but I read a lot before I started surfing as root and allowed someone to "get root" Good Luck -Original Message- From: Eric L. Damron I have found that people unknown are attacking my linux box! The following entries were found in maillog: snip horrible whining sound Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! Thanks.
Re: [newbie] PLEASE! What do these log entries mean?!?
Thank You -Original Message- From: Axalon Bloodstone [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, September 22, 1999 1:32 PM Subject: Re: [newbie] PLEASE! What do these log entries mean?!? On Wed, 22 Sep 1999, Eric L. Damron wrote: I have found that people unknown are attacking my linux box! The following entries were found in maillog: Sep 15 07:09:07 C287853-A sendmail[1979]: NOQUEUE: [157.89.64.77]: VRFY guest Sep 15 07:09:07 C287853-A sendmail[1980]: NOQUEUE: [157.89.64.77]: VRFY decode Sep 15 07:09:07 C287853-A sendmail[1981]: NOQUEUE: [157.89.64.77]: VRFY bbs Sep 15 07:09:07 C287853-A sendmail[1982]: NOQUEUE: [157.89.64.77]: VRFY lp Sep 15 07:09:07 C287853-A sendmail[1983]: NOQUEUE: [157.89.64.77]: VRFY uudecode Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "wiz" command from [157.89.64.77] (157.89.64.77) Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "debug" command from [157.89.64.77] (157.89.64.77) (WHAT THE HELL IS THE "WIZ" COMMAND. AND THE "DEBUG" COMMAND!! Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! Thanks. ipchains -I input -s 157.89.64.77/0 -d 0/0 -j REJECT -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon
Re: [newbie] PLEASE! What do these log entries mean?!?
Shutting down the daemon temporarily would stop the abuse until a better answer comes to the list. I was helping in the way I new, kill the process. I used the surf as root as an example. It is the most common thing new users do. It was also the first security warning I read. Probably the malicious person, if that is what is happening, knows of a security hole in a package (an exploit) you have running on your system. There are places to look for these exploits on a frequent basis, especially if running a server of some kind. After you shut down Sendmail I suggest you browse these. You may find the fix at Mandrake's security fix page. Again, Good Luck\ Brian -Original Message- From: Eric L. Damron Ripcrd6, Although my last post concerns the same problem it also contains new information. I want to know what this guy did on my server. Turning off sendmail forever isn't an option. And I have never "serfed as root." So please, If you have nothing positive to add then don't respond. Thank you -Original Message- From: Ripcrd6 Please only start one thread on a subject. Did you see what Steve Philip wrote? He said turn off Sendmail for a starter. Please listen and don't panic. snip
RE: Re: [newbie] PLEASE! What do these log entries mean?!?
BDY.RTF WINMAIL.DAT
Re: [newbie] PLEASE! What do these log entries mean?!?
Even better would be to block incomming connections to sendmail's port from anything but your ip (dunno which @home your on) On Wed, 22 Sep 1999, Eric L. Damron wrote: Thank You -Original Message- From: Axalon Bloodstone [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, September 22, 1999 1:32 PM Subject: Re: [newbie] PLEASE! What do these log entries mean?!? On Wed, 22 Sep 1999, Eric L. Damron wrote: I have found that people unknown are attacking my linux box! The following entries were found in maillog: Sep 15 07:09:07 C287853-A sendmail[1979]: NOQUEUE: [157.89.64.77]: VRFY guest Sep 15 07:09:07 C287853-A sendmail[1980]: NOQUEUE: [157.89.64.77]: VRFY decode Sep 15 07:09:07 C287853-A sendmail[1981]: NOQUEUE: [157.89.64.77]: VRFY bbs Sep 15 07:09:07 C287853-A sendmail[1982]: NOQUEUE: [157.89.64.77]: VRFY lp Sep 15 07:09:07 C287853-A sendmail[1983]: NOQUEUE: [157.89.64.77]: VRFY uudecode Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "wiz" command from [157.89.64.77] (157.89.64.77) Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "debug" command from [157.89.64.77] (157.89.64.77) (WHAT THE HELL IS THE "WIZ" COMMAND. AND THE "DEBUG" COMMAND!! Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! Thanks. ipchains -I input -s 157.89.64.77/0 -d 0/0 -j REJECT -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon
Re: [newbie] PLEASE! What do these log entries mean?!?
"Eric L. Damron" wrote: I have found that people unknown are attacking my linux box! The following entries were found in maillog: Below are explanations of what the little cracker is trying to do... Sep 15 07:09:07 C287853-A sendmail[1979]: NOQUEUE: [157.89.64.77]: VRFY guest Check to see if the 'guest' user exists. Sep 15 07:09:07 C287853-A sendmail[1980]: NOQUEUE: [157.89.64.77]: VRFY decode Check to see if the 'decode' user exists. Sep 15 07:09:07 C287853-A sendmail[1981]: NOQUEUE: [157.89.64.77]: VRFY bbs Check to see if the 'bbs' user exists. Sep 15 07:09:07 C287853-A sendmail[1982]: NOQUEUE: [157.89.64.77]: VRFY lp Check to see if the 'lp' user exists. Sep 15 07:09:07 C287853-A sendmail[1983]: NOQUEUE: [157.89.64.77]: VRFY uudecode Check to see if the 'uudecode' user exists. Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "wiz" command from [157.89.64.77] (157.89.64.77) Check to see if you're running an version of Sendmail that understood the 'wiz' command -- it gave superuser permissions. See the O'Reilly Internet Security book for an explanation, it's got a safe on the cover. Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "debug" command from [157.89.64.77] (157.89.64.77) Check to see if another old version of Sendmail is running to exploit the 'debug' command. Again, I'd refer you to the O'Reilly text. (WHAT THE HELL IS THE "WIZ" COMMAND. AND THE "DEBUG" COMMAND!! Ancient Sendmail exploits. Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! I wouldn't worry too much about this one. It's a script kiddy that doesn't even know enough to check how old his scripts are (some of those bugs are likely older than the cracker!). I _would_, of course, forward those log files to the ISP that hosts 157.89.64.77 (I'm not able to get it to resolve with either 'host' or 'whois', maybe you'll have better luck?) -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]
RE: [newbie] PLEASE! What do these log entries mean?!?
Eric, I wouldn't say whoever it is has hacked your box, at least not yet. But it is evidence they tried. It's not that hard, you just telnet to port 25 and manually feed it commands line by line. Read up on sendmail, 'man sendmail' might be a start, and get a book on Unix and Internet Security. I have 'Practical Unix and Internet Security' by Simson Garfinkel and Gene Spafford from O'Reilly. It has some interesting stuff on sendmail. I used some of the stuff to test my security. Fortunately I found out my version of sendmail was current enough not to respond to the commands 'wiz', 'debug' or 'kill'. Sendmail is an all things to all people kind of mail daemon. You might want to check into alternate servers for your smtp needs. Because of its size and the workload it can handle sendmail can be a real dog to configure properly. I don't know how hard post is to configure but one solution might be to switch to it. I'm sure someone at Mandrake can shed more light on the arguments for and against each of these daemons. Ken Wilson First Law of Optimization: The speed of a nonworking program is irrelevant (Steve Heller, 'Efficient C/C++ Programming') -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric L. Damron -Original Message- From: Eric L. Damron I have found that people unknown are attacking my linux box! The following entries were found in maillog: snip horrible whining sound Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! Thanks.
RE: [newbie] PLEASE! What do these log entries mean?!?
Try doing 'nslookup 123.456.789.12'. See if it resolves to anything you can use. Oh, substitute the ip address of the person who's been trying to hack you for the one I got to lazy to make legitimate looking. Ken Wilson First Law of Optimization: The speed of a nonworking program is irrelevant (Steve Heller, 'Efficient C/C++ Programming') -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of pete moss Sent: Wednesday, September 22, 1999 7:40 PM To: [EMAIL PROTECTED] Subject: Re: [newbie] PLEASE! What do these log entries mean?!? how do you find this info? is there a command (or service) that will give you this info about an ip? :P_ [EMAIL PROTECTED] wrote: You might want to contact the owner of the network from which this traffic originated. It may give you some sense of satisfaction to know that the script-kiddie in question got nailed by his university. Here's the contact information for 157.89.64.77. Enjoy! Eastern Kentucky University (NET-EKU) Academic Computing Services 3.395219E-313astern Kentucky University Richmond, KY 40475-3111 Netname: EKU Netnumber: 157.89.0.0 Domain System inverse mapping provided by: ACS.EKU.EDU157.89.8.64 NCC.UKY.EDU128.163.1.6 Record last updated on 12-Apr-93. Registrant: Eastern Kentucky University (EKU-DOM) Academic Computing Services Combs Classroom Bldg Room 207 Richmond, KY 40475-3111 US Domain Name: EKU.EDU Administrative Contact: Lane, Margaret (CT152) [EMAIL PROTECTED] (606)622-1986 Technical Contact, Zone Contact: ALCORN, MELVIN (MA172) [EMAIL PROTECTED] (606)622-1986 Billing Contact: Lane, Margaret (CT152) [EMAIL PROTECTED] (606)622-1986 Record last updated on 20-Aug-98. Record created on 22-Mar-93. Database last updated on 21-Sep-99 14:40:22 EDT. -Original Message- From: axalon [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 22, 1999 4:30 PM To: newbie Cc: axalon Subject: Re: Re: [newbie] PLEASE! What do these log entries mean?!? On Wed, 22 Sep 1999, Eric L. Damron wrote: I have found that people unknown are attacking my linux box! The following entries were found in maillog: Sep 15 07:09:07 C287853-A sendmail[1979]: NOQUEUE: [157.89.64.77]: VRFY guest Sep 15 07:09:07 C287853-A sendmail[1980]: NOQUEUE: [157.89.64.77]: VRFY decode Sep 15 07:09:07 C287853-A sendmail[1981]: NOQUEUE: [157.89.64.77]: VRFY bbs Sep 15 07:09:07 C287853-A sendmail[1982]: NOQUEUE: [157.89.64.77]: VRFY lp Sep 15 07:09:07 C287853-A sendmail[1983]: NOQUEUE: [157.89.64.77]: VRFY uudecode Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "wiz" command from [157.89.64.77] (157.89.64.77) Sep 15 07:09:07 C287853-A sendmail[1977]: NOQUEUE: "debug" command from [157.89.64.77] (157.89.64.77) (WHAT THE HELL IS THE "WIZ" COMMAND. AND THE "DEBUG" COMMAND!! Please! If anyone knows what this jerk is trying to do and How I can stop him PLEASE let me know! Thanks. ipchains -I input -s 157.89.64.77/0 -d 0/0 -j REJECT -- MandrakeSoft http://www.mandrakesoft.com/ --Axalon -- -- Name: WINMAIL.DAT WINMAIL.DATType: application/ms-tnef Encoding: base64
