[NTLUG:Discuss] alert from sendmail
Greg Edwards
greg at nas-inet.com
Sun Apr 25 21:40:58 CDT 2004
Tom McDonald wrote:
> On Sun, 25 Apr 2004 11:04:12 -0500
> Greg Edwards <greg at nas-inet.com> wrote:
>
>
>>Anyone know what this means? Found it in my log report.
>>
>>Active System Attack Alerts
>>=-=-=-=-=-=-=-=-=-=-=-=-=-=
>>Apr 24 20:00:32 mrytle sendmail[11148]: i3P10STn011148:
>>from=<mcKeell at attack.ru>, size=651, class=0, nrcpts=1,
>>msgid=<834a01c42a54$5dee0a3a$bea840ad at stagnum.fr>, proto=SMTP,
>>daemon=MTA, relay=[211.190.91.79]
>>
>>TIA,
>>--
>>Greg Edwards
>
>
> Greg,
>
> It looks like an attack alert from portsentry or maybe snort...
>
> The MX receiver is myrtle (probably where the attck alert originates)
> the from ID mckeell at attack.ru is a Joint "Stock Company in
> Togliatti, Russia" (whatever a Joint Stock Company is ) Their whois has
> a comment of "High Tech Attack" in their description field, and
> the message was relayed from a site in Korea- probably an open
> relay for spammers.....
>
> No indication what the Attack Alert is for, I get about a million a day
> scanning ports 135 and 445 but both /var/log/messages and
> /var/log/mail/info tell me what the attack is, i.e portscan, login
> attempt, etc.
>
> If "Active System Attack Alerts" is in the body or subject of the
> message, then it's just a hook to get you to their site.
>
>
> Tom
>
> ----
>
> Tom McDonald <tom at compuclaim.com>
> Compuclaim Inc.
Tom,
This was in my daily log report. It came from mail/info and is was the
only entry related to this mail message. From everything I can find it
looks like sendmail generated the message. The log/messages, auth, etc
log files don't show any other activity near the same time that could be
related.
--
Greg Edwards
Hosted Websites from New Age Software - http://www.nas-inet.com
Anime, Manga, Lady Amaya - http://roseofcreation.nas-inet.com
Coppell Texas - http://coppell.nas-inet.com
Software Engineering - http://consult.nas-inet.com
More information about the Discuss
mailing list