From owner-freebsd-security Wed Nov 10 7:38:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5016B151EB for ; Wed, 10 Nov 1999 07:38:22 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id HAA31491; Wed, 10 Nov 1999 07:38:21 -0800 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda31483; Wed Nov 10 07:37:57 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id HAA34906; Wed, 10 Nov 1999 07:36:51 -0800 (PST) Message-Id: <199911101536.HAA34906@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdc34901; Wed Nov 10 07:36:26 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited , on signal 4 In-reply-to: Your message of "Sun, 07 Nov 1999 12:58:58 EST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 10 Nov 1999 07:36:26 -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Robert Watson writes: > > Noticed this in my system log: > > Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited on > signal 4 > > This doesn't normally happen and is a bit concerning. > > fledge:~> telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 fledge.watson.org ESMTP Sendmail 8.9.3/8.9.3; Sun, 7 Nov 1999 12:27:54 > -0500 (EST) > > Which is the default version shipped in 3.3-RELEASE (or at least, this is > currently a vanilla 3.3-RELEASE box :-). > > I'm concerned this could be a buffer-based attack, but don't see any of > the signs of a successful compromise. Also, there were no signs of a > scan of other open ports at the time. > > Has anyone else seen any of these lately? It's very likely that there may be a buffer overrun being exploited on the Net and that whoever was attacking your machine may have been using an exploit engineered for Linux Sendmail or another version of FreeBSD. It is also possible that you may have bad memory in the box in question. Also possible is a FreeBSD bug that manifests itself under certain conditions, e.g. inetd and cron problems in <3.1. You may wish to consider installing the smtpd port. Obtuse Smtpd front- ends itself to Sendmail to provide an architecture similar to that of Qmail, except that Sendmail still needs to be setuid root if you wish to continue support executing programs via .forward. If that's not important to you, then you can make Sendmail setgid mail, making sure that /var/mail and /var/spool/mqueue are group mail writable. It also might be possible to write an application, similar to smrsh, that would securely invoke programs referenced in .forward files under each user's own id, entirely negating the need to have a setuid Sendmail. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message