Date: Thu, 12 Aug 1999 18:54:16 -0600 From: Brett Glass <brett@lariat.org> To: security@freebsd.org Subject: Another SMTP name-guessing attack Message-ID: <4.2.0.58.19990812185216.043c1160@localhost>
next in thread | raw e-mail | index | archive | help
Yesterday, one of the hosts I administer was subjected to an account name guessing attack. The attack does not appear to have been mounted via the a program previously mentioned on Bugtraq, but rather by a new program and/or by a homebrew script. Here's what the logs look like (I've changed the name of the host that was attacked, but nothing else): Aug 11 211554 myhost sendmail[5107] VAA05107 <e2a2ae32g@myhost.com>... User unknown Aug 11 211554 myhost sendmail[5107] VAA05107 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211601 myhost sendmail[5119] VAA05119 <mark@myhost.com>... User unknown Aug 11 211601 myhost sendmail[5120] VAA05120 <brian3@myhost.com>... User unknown Aug 11 211602 myhost sendmail[5119] VAA05119 <mark1@myhost.com>... User unknown Aug 11 211602 myhost sendmail[5120] VAA05120 <brian4@myhost.com>... User unknown Aug 11 211606 myhost sendmail[5120] VAA05120 <brian5@myhost.com>... User unknown Aug 11 211607 myhost sendmail[5119] VAA05119 <mark2@myhost.com>... User unknown Aug 11 211607 myhost sendmail[5126] VAA05126 <smith@myhost.com>... User unknown Aug 11 211608 myhost sendmail[5126] VAA05126 <smith1@myhost.com>... User unknown Aug 11 211610 myhost sendmail[5126] VAA05126 <smith2@myhost.com>... User unknown Aug 11 211610 myhost sendmail[5135] VAA05135 <wilson3@myhost.com>... User unknown Aug 11 211611 myhost sendmail[5137] VAA05137 <me@myhost.com>... User unknown Aug 11 211611 myhost sendmail[5131] VAA05131 <3@myhost.com>... User unknown Aug 11 211612 myhost sendmail[5132] VAA05132 <anderson3@myhost.com>... User unknown Aug 11 211612 myhost sendmail[5126] VAA05126 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211612 myhost sendmail[5131] VAA05131 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211612 myhost sendmail[5137] VAA05137 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211612 myhost sendmail[5138] NOQUEUE Null connection from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5135] VAA05135 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5137] VAA05137 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5131] VAA05131 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5135] VAA05135 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5126] VAA05126 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5136] VAA05136 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5136] VAA05136 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=1, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5132] VAA05132 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5132] VAA05132 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5145] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe Aug 11 211613 myhost sendmail[5145] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe Aug 11 211613 myhost sendmail[5144] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe Aug 11 211613 myhost sendmail[5144] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe Aug 11 211613 myhost sendmail[5144] NOQUEUE Null connection from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176] Aug 11 211613 myhost sendmail[5148] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe Aug 11 211613 myhost sendmail[5148] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe Aug 11 211613 myhost sendmail[5119] VAA05119 SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "550 <mark3@myhost.com>... User unknown" Broken pipe Aug 11 211613 myhost sendmail[5119] VAA05119 <mark3@myhost.com>... User unknown In short, it's guessing at common first and last names -- alone and with the digits 1 through 5 appended. It's making a separate connection for each name but is trying the combinations with appended digits on the same connection as the "bare" name. It doesn't seem to be sending more RCPT TO: commands until it receives the results of earlier ones, nor does it seem to send more than 6 commands per connection -- clearly an attempt to get by the preventive measures installed to defeat earlier scans of this kind. Has anyone else seen this style of attack, or are we honored to be the first? Any ideas on how to patch Sendmail to thwart it? (FreeBSD's particular configuration for Sendmail seems particularly susceptible to this because it imposes a limit on connections; all legitimate mail stopped during the attack.) --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19990812185216.043c1160>