From owner-freebsd-questions Fri Jan 17 8:33:24 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4896337B401 for ; Fri, 17 Jan 2003 08:33:23 -0800 (PST) Received: from freeze.org (freeze.org [63.106.140.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6957B43F1E for ; Fri, 17 Jan 2003 08:33:22 -0800 (PST) (envelope-from jfreeze@freeze.org) Received: from freeze.org (localhost [127.0.0.1]) by freeze.org (8.12.5/8.12.5) with ESMTP id h0HGbGJI009567; Fri, 17 Jan 2003 11:37:16 -0500 (EST) (envelope-from jfreeze@freeze.org) Received: (from jfreeze@localhost) by freeze.org (8.12.5/8.12.5/Submit) id h0HGbFme009566; Fri, 17 Jan 2003 11:37:15 -0500 (EST) Date: Fri, 17 Jan 2003 11:37:15 -0500 From: Jim Freeze To: Bill Moran Cc: FreeBSD Questions Subject: Re: Possible attack? Message-ID: <20030117113715.A9541@freeze.org> References: <20030117093453.A9304@freeze.org> <3E281AD7.6090807@potentialtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3E281AD7.6090807@potentialtech.com>; from wmoran@potentialtech.com on Fri, Jan 17, 2003 at 10:01:43AM -0500 Name: Jim Freeze Phone: (859) 396-5439 Web-Pages: http://www.freeze.org http://www.freebsdportal.com Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Friday, 17 January 2003 at 10:01:43 -0500, Bill Moran wrote: > Jim Freeze wrote: > > Hi: > > > > I got an interesting log report today. > > Has anyone seen such messages lately? > > > > Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME > > Content-Disposition header due to > > field size (length = 25) (possible attack) > > Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM > > pD9E60C0F.dip.t-dialin.net > > Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME > > Content-Disposition header due to > > field size (length = 22) (possible attack) > > I've seen the "anonymous FTP denied" off and on. I think that some folks > just randomly attempt to connect to any FTP server they find in the > hopes that there's cool stuff there. > The sm-mta Truncaded MIME stuff isn't familiar to me, and it doesn't > actually seem related (compare the times). Could be someone with a > broken mailer? or some sort of bogus MIME header that facilitates > the propagation of some worm? > It's probably a cheesy attempt at an "attack". But it's not blatent > enough to do much more than note it in case something more serious > goes wrong. If you don't have any clients that should be connecting > from Deutsche TeleKom, you can just firewall off that whole subnet. Thanks all for the replies. I accept the fact that I am going to get the FTP login attempts, I just had never seen the "(possible attack)" in my logs. I'm not sure I have anything worth the effort to attempt a break-in. :) -- Jim Freeze ---------- Anyone who goes to a psychiatrist ought to have his head examined. -- Samuel Goldwyn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message