Date: Tue, 21 Sep 1999 12:09:03 +0000 (GMT) From: JD Nails <jack@dorazi.org> To: security@FreeBSD.ORG Subject: Re: hackers? Message-ID: <Pine.BSF.4.10.9909211156120.552-100000@noreturn.frankbasso.com> In-Reply-To: <v04210115b40d84be18ca@[216.112.76.84]>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings, You could add aol.com of the offending networks to your /etc/hosts.deny but this would use resources on the host you are trying to protect. You might be better off blocking the route at your gateway from/to the aol class C/B space just be sure not to block the routes to their real mail hosts if you require mail to and from them. nslookup -q=mx aol.com to find those addresses. relay test may help verify your server, but most default sendmail 8.9.3 installs do not enable relay by default you have to specify it in the mc configurations. cat /usr/src/etc/sendmail/freebsd.mc to see what your base config is setup like. FEATURE(relay_based_on_MX)dnl is wahts in mine, its OK but I prefer to add hosts and networks by hand as anyone can alter their MX hosts to point your way :) /usr/ports/mail/rlytest may come in handy, but run it from a hosts outside your network. -jack On Tue, 21 Sep 1999, John Armstrong wrote: siberi >You really really need to turn off relaying and turn on pop siberi >authentication ( or use a pop database if your pop users are coming siberi >from static IP addresses ). siberi > siberi >Is your load high? What do you maillogs indicate? Can you trace the siberi >source of the problem? Are emails bouncing back to your root acct? siberi > siberi >When this happened to me not only did I get nailed with the outgoing siberi >traffic, I got nailed with tens of thousands of bounces because the siberi >idiot spammer did not get a current mailing list. On top of that I siberi >got nailed into the blackhole and my ISP shut me down until I fixed siberi >it. siberi > siberi >its a nightmare. If you need a sendmail.cf file that blocks relaying siberi >as well as the perl daemon to do pop authentication let me know and I siberi >will send it offlist. siberi > siberi >John- siberi > siberi >At 8:31 PM -0400 9/19/99, Mr. K. wrote: siberi >>I've just recently upgraded to sendmail 8.9, as my host was being used as siberi >>a mail relay. I think I am now under some kind of attack. When I do a ps siberi >>-x I get the following listings: siberi >> siberi >> 3814 ?? S 0:00.01 sendmail: server ABD8FFB5.ipt.aol.com siberi >>[171.216.255.181] child wait (sendmail) siberi >> 3816 ?? I 0:00.02 sendmail: server ABD8FFB5.ipt.aol.com siberi >>[171.216.255.181] cmd read (sendmail) siberi >> 3829 ?? I 0:00.01 sendmail: server ABD4F010.ipt.aol.com siberi >>[171.212.240.16] child wait (sendmail) siberi >> 3832 ?? I 0:00.02 sendmail: server ABD4F010.ipt.aol.com siberi >>[171.212.240.16] cmd read (sendmail) siberi >> 3839 ?? I 0:00.01 sendmail: server 98AC79DB.ipt.aol.com siberi >>[152.172.121.219] child wait (sendmail) siberi >> 3843 ?? I 0:00.02 sendmail: server 98AC79DB.ipt.aol.com siberi >>[152.172.121.219] cmd read (sendmail) siberi >> 3855 ?? I 0:00.01 sendmail: server ABD8452B.ipt.aol.com siberi >>[171.216.69.43] child wait (sendmail) siberi >> 3856 ?? I 0:00.02 sendmail: server ABD8452B.ipt.aol.com siberi >>[171.216.69.43] cmd read (sendmail) siberi >> 3858 ?? I 0:00.01 sendmail: server 98CB05B2.ipt.aol.com siberi >>[152.203.5.178] child wait (sendmail) siberi >> 3859 ?? I 0:00.02 sendmail: server 98CB05B2.ipt.aol.com siberi >>[152.203.5.178] cmd read (sendmail) siberi >> 3863 ?? I 0:00.01 sendmail: server ABD57D59.ipt.aol.com siberi >>[171.213.125.89] child wait (sendmail) siberi >> 3866 ?? I 0:00.02 sendmail: server ABD57D59.ipt.aol.com siberi >>[171.213.125.89] cmd read (sendmail) siberi >> 3899 ?? I 0:00.01 sendmail: server siberi >>dialup-209.245.42.236.SanDiego1.Level3.net [209.245.42.236] chi siberi >> 3900 ?? I 0:00.02 sendmail: server siberi >>dialup-209.245.42.236.SanDiego1.Level3.net [209.245.42.236] cmd siberi >> 3919 ?? I 0:00.01 sendmail: server 98A6ACF8.ipt.aol.com siberi >>[152.166.172.248] child wait (sendmail) siberi >> 3921 ?? I 0:00.02 sendmail: server 98A6ACF8.ipt.aol.com siberi >>[152.166.172.248] cmd read (sendmail) siberi >> 3933 ?? I 0:00.01 sendmail: server ABD8F59A.ipt.aol.com siberi >>[171.216.245.154] child wait (sendmail) siberi >> 3934 ?? I 0:00.02 sendmail: server ABD8F59A.ipt.aol.com siberi >>[171.216.245.154] cmd read (sendmail) siberi >> 3965 ?? I 0:00.01 sendmail: server ABD1158F.ipt.aol.com siberi >>[171.209.21.143] child wait (sendmail) siberi >> 3968 ?? I 0:00.02 sendmail: server ABD1158F.ipt.aol.com siberi >>[171.209.21.143] cmd read (sendmail) siberi >> 3979 ?? I 0:00.01 sendmail: server dlp61.wilm.eri.net siberi >>[207.90.108.189] child wait (sendmail) siberi >> 3980 ?? I 0:00.01 sendmail: server dlp61.wilm.eri.net siberi >>[207.90.108.189] cmd read (sendmail) siberi >> 3982 ?? I 0:00.01 sendmail: server 98AD84A0.ipt.aol.com siberi >>[152.173.132.160] child wait (sendmail) siberi >> 3983 ?? I 0:00.02 sendmail: server 98AD84A0.ipt.aol.com siberi >>[152.173.132.160] cmd read (sendmail) siberi >> 4046 ?? I 0:00.01 sendmail: server ABD306AA.ipt.aol.com siberi >>[171.211.6.170] child wait (sendmail) siberi >> 4047 ?? I 0:00.02 sendmail: server ABD306AA.ipt.aol.com siberi >>[171.211.6.170] cmd read (sendmail) siberi >> 4256 ?? I 0:00.01 sendmail: server 98AEC8C1.ipt.aol.com siberi >>[152.174.200.193] child wait (sendmail) siberi >> 4258 ?? I 0:00.02 sendmail: server 98AEC8C1.ipt.aol.com siberi >>[152.174.200.193] cmd read (sendmail) siberi >> 4274 ?? I 0:00.01 sendmail: server 98CE2C1D.ipt.aol.com siberi >>[152.206.44.29] child wait (sendmail) siberi >> 4277 ?? I 0:00.02 sendmail: server 98CE2C1D.ipt.aol.com siberi >>[152.206.44.29] cmd read (sendmail) siberi >> 4287 ?? I 0:00.01 sendmail: server ABD857C8.ipt.aol.com siberi >>[171.216.87.200] child wait (sendmail) siberi >> 4288 ?? I 0:00.02 sendmail: server ABD857C8.ipt.aol.com siberi >>[171.216.87.200] cmd read (sendmail) siberi >> 4328 ?? I 0:00.01 sendmail: server 98C8972D.ipt.aol.com siberi >>[152.200.151.45] child wait (sendmail) siberi >> 4329 ?? I 0:00.02 sendmail: server 98C8972D.ipt.aol.com siberi >>[152.200.151.45] cmd read (sendmail) siberi >> 4361 ?? I 0:00.01 sendmail: server 98CC072E.ipt.aol.com siberi >>[152.204.7.46] child wait (sendmail) siberi >> 4362 ?? I 0:00.02 sendmail: server 98CC072E.ipt.aol.com siberi >>[152.204.7.46] cmd read (sendmail) siberi >> 4364 ?? I 0:00.01 sendmail: server 98A68AEA.ipt.aol.com siberi >>[152.166.138.234] child wait (sendmail) siberi >> 4367 ?? I 0:00.02 sendmail: server 98A68AEA.ipt.aol.com siberi >>[152.166.138.234] cmd read (sendmail) siberi >> 4369 ?? I 0:00.01 sendmail: server 98CD50D8.ipt.aol.com siberi >>[152.205.80.216] child wait (sendmail) siberi >> 4370 ?? I 0:00.02 sendmail: server 98CD50D8.ipt.aol.com siberi >>[152.205.80.216] cmd read (sendmail) siberi >> 4471 ?? I 0:00.01 sendmail: server ABD028A4.ipt.aol.com siberi >>[171.208.40.164] child wait (sendmail) siberi >> 4472 ?? I 0:00.01 sendmail: server ABD028A4.ipt.aol.com siberi >>[171.208.40.164] child wait (sendmail) siberi >> 4473 ?? I 0:00.01 sendmail: server ABD028A4.ipt.aol.com siberi >>[171.208.40.164] child wait (sendmail) siberi >> 4474 ?? I 0:00.02 sendmail: server ABD028A4.ipt.aol.com siberi >>[171.208.40.164] cmd read (sendmail) siberi >> 4475 ?? I 0:00.02 sendmail: server ABD028A4.ipt.aol.com siberi >>[171.208.40.164] cmd read (sendmail) siberi >> 4476 ?? I 0:00.02 sendmail: server ABD028A4.ipt.aol.com siberi >>[171.208.40.164] cmd read (sendmail) siberi >> 4507 ?? I 0:00.01 sendmail: server ABD86D5D.ipt.aol.com siberi >>[171.216.109.93] child wait (sendmail) siberi >> 4508 ?? I 0:00.02 sendmail: server ABD86D5D.ipt.aol.com siberi >>[171.216.109.93] cmd read (sendmail) siberi >> 4510 ?? I 0:00.01 sendmail: server ABD96F8E.ipt.aol.com siberi >>[171.217.111.142] child wait (sendmail) siberi >> 4511 ?? I 0:00.02 sendmail: server ABD96F8E.ipt.aol.com siberi >>[171.217.111.142] cmd read (sendmail) siberi >> 4525 ?? I 0:00.01 sendmail: server 98A9E892.ipt.aol.com siberi >>[152.169.232.146] child wait (sendmail) siberi >> 4526 ?? I 0:00.01 sendmail: server 98A9E892.ipt.aol.com siberi >>[152.169.232.146] child wait (sendmail) siberi >> 4527 ?? I 0:00.02 sendmail: server 98A9E892.ipt.aol.com siberi >>[152.169.232.146] cmd read (sendmail) siberi >> 4528 ?? I 0:00.02 sendmail: server 98A9E892.ipt.aol.com siberi >>[152.169.232.146] cmd read (sendmail) siberi >> 4529 ?? I 0:00.01 sendmail: server ABD96E5D.ipt.aol.com siberi >>[171.217.110.93] child wait (sendmail) siberi >> 4530 ?? I 0:00.02 sendmail: server ABD96E5D.ipt.aol.com siberi >>[171.217.110.93] cmd read (sendmail) siberi >> 4564 ?? I 0:00.01 sendmail: server siberi >>dialup-209.245.41.221.SanDiego1.Level3.net [209.245.41.221] chi siberi >> 4565 ?? I 0:00.02 sendmail: server siberi >>dialup-209.245.41.221.SanDiego1.Level3.net [209.245.41.221] cmd siberi >> 4602 ?? I 0:00.01 sendmail: server ABD6CDDE.ipt.aol.com siberi >>[171.214.205.222] child wait (sendmail) siberi >> 4603 ?? I 0:00.02 sendmail: server ABD6CDDE.ipt.aol.com siberi >>[171.214.205.222] cmd read (sendmail) siberi >> 4637 ?? I 0:00.01 sendmail: server 98A68AEA.ipt.aol.com siberi >>[152.166.138.234] child wait (sendmail) siberi >> 4638 ?? I 0:00.02 sendmail: server 98A68AEA.ipt.aol.com siberi >>[152.166.138.234] cmd read (sendmail) siberi >> 4646 ?? I 0:00.01 sendmail: server ABD78E3B.ipt.aol.com siberi >>[171.215.142.59] child wait (sendmail) siberi >> 4647 ?? I 0:00.02 sendmail: server ABD78E3B.ipt.aol.com siberi >>[171.215.142.59] cmd read (sendmail) siberi >> 4652 ?? I 0:00.01 sendmail: server 98CD01D6.ipt.aol.com siberi >>[152.205.1.214] child wait (sendmail) siberi >> 4653 ?? I 0:00.02 sendmail: server 98CD01D6.ipt.aol.com siberi >>[152.205.1.214] cmd read (sendmail) siberi >> 4666 ?? I 0:00.01 sendmail: server 98CD0B4A.ipt.aol.com siberi >>[152.205.11.74] child wait (sendmail) siberi >> 4667 ?? I 0:00.01 sendmail: server 98CD0B4A.ipt.aol.com siberi >>[152.205.11.74] child wait (sendmail) siberi >> 4671 ?? I 0:00.02 sendmail: server 98CD0B4A.ipt.aol.com siberi >>[152.205.11.74] cmd read (sendmail) siberi >> 4672 ?? I 0:00.02 sendmail: server 98CD0B4A.ipt.aol.com siberi >>[152.205.11.74] cmd read (sendmail) siberi >> 4695 ?? I 0:00.01 sendmail: server cc405899-a.brick1.nj.home.com siberi >>[24.6.84.63] child wait (sendmail siberi >> 4696 ?? I 0:00.01 sendmail: server cc405899-a.brick1.nj.home.com siberi >>[24.6.84.63] child wait (sendmail siberi >> 4697 ?? I 0:00.02 sendmail: server cc405899-a.brick1.nj.home.com siberi >>[24.6.84.63] cmd read (sendmail) siberi >> 4698 ?? I 0:00.02 sendmail: server cc405899-a.brick1.nj.home.com siberi >>[24.6.84.63] cmd read (sendmail) siberi >> 4700 ?? I 0:00.01 sendmail: server 98A68AEA.ipt.aol.com siberi >>[152.166.138.234] child wait (sendmail) siberi >> 4701 ?? I 0:00.02 sendmail: server 98A68AEA.ipt.aol.com siberi >>[152.166.138.234] cmd read (sendmail) siberi >> 4709 ?? I 0:00.01 sendmail: server 98CD4F2A.ipt.aol.com siberi >>[152.205.79.42] child wait (sendmail) siberi >> 4711 ?? I 0:00.02 sendmail: server 98CD4F2A.ipt.aol.com siberi >>[152.205.79.42] cmd read (sendmail) siberi >> 4801 ?? I 0:00.01 sendmail: server 98A72163.ipt.aol.com siberi >>[152.167.33.99] child wait (sendmail) siberi >> 4802 ?? I 0:00.02 sendmail: server 98A72163.ipt.aol.com siberi >>[152.167.33.99] cmd read (sendmail) siberi >> 4830 ?? I 0:00.01 sendmail: server ABD605BD.ipt.aol.com siberi >>[171.214.5.189] child wait (sendmail) siberi >> 4831 ?? I 0:00.02 sendmail: server ABD605BD.ipt.aol.com siberi >>[171.214.5.189] cmd read (sendmail) siberi >> 4839 ?? I 0:00.01 sendmail: server cc353189-a.owml1.md.home.com siberi >>[24.3.39.239] child wait (sendmail siberi >> 4840 ?? I 0:00.02 sendmail: server cc353189-a.owml1.md.home.com siberi >>[24.3.39.239] cmd read (sendmail) siberi >> 4845 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] child wait (sendmail) siberi >> 4846 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] child wait (sendmail) siberi >> 4847 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] child wait (sendmail) siberi >> 4848 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] child wait (sendmail) siberi >> 4849 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] cmd read (sendmail) siberi >> 4850 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] cmd read (sendmail) siberi >> 4851 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] cmd read (sendmail) siberi >> 4852 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] cmd read (sendmail) siberi >> 4860 ?? S 0:00.59 /usr/local/sbin/sshd (sshd1) siberi >> 4896 ?? I 0:00.01 sendmail: server 98CD742E.ipt.aol.com siberi >>[152.205.116.46] child wait (sendmail) siberi >> 4897 ?? I 0:00.02 sendmail: server 98CD742E.ipt.aol.com siberi >>[152.205.116.46] cmd read (sendmail) siberi >> 4904 ?? I 0:00.01 sendmail: server 98ADEA9D.ipt.aol.com siberi >>[152.173.234.157] child wait (sendmail) siberi >> 4905 ?? I 0:00.02 sendmail: server 98ADEA9D.ipt.aol.com siberi >>[152.173.234.157] cmd read (sendmail) siberi >> 4906 ?? I 0:00.01 sendmail: server 98A9848F.ipt.aol.com siberi >>[152.169.132.143] child wait (sendmail) siberi >> 4907 ?? I 0:00.02 sendmail: server 98A9848F.ipt.aol.com siberi >>[152.169.132.143] cmd read (sendmail) siberi >> 4918 ?? I 0:00.01 sendmail: server ABD4D9A4.ipt.aol.com siberi >>[171.212.217.164] child wait (sendmail) siberi >> 4919 ?? I 0:00.02 sendmail: server ABD4D9A4.ipt.aol.com siberi >>[171.212.217.164] cmd read (sendmail) siberi >> 5034 ?? I 0:00.01 sendmail: server host92.iline.com siberi >>[207.30.115.92] child wait (sendmail) siberi >> 5036 ?? I 0:00.02 sendmail: server host92.iline.com siberi >>[207.30.115.92] cmd read (sendmail) siberi >> 5055 ?? I 0:00.01 sendmail: server 98CB1D1B.ipt.aol.com siberi >>[152.203.29.27] child wait (sendmail) siberi >> 5057 ?? I 0:00.02 sendmail: server 98CB1D1B.ipt.aol.com siberi >>[152.203.29.27] cmd read (sendmail) siberi >> 5089 ?? I 0:00.01 sendmail: server ABD9AEE0.ipt.aol.com siberi >>[171.217.174.224] child wait (sendmail) siberi >> 5090 ?? I 0:00.02 sendmail: server ABD9AEE0.ipt.aol.com siberi >>[171.217.174.224] cmd read (sendmail) siberi >> 5091 ?? I 0:00.01 sendmail: server 98A7BAF4.ipt.aol.com siberi >>[152.167.186.244] child wait (sendmail) siberi >> 5092 ?? I 0:00.02 sendmail: server 98A7BAF4.ipt.aol.com siberi >>[152.167.186.244] cmd read (sendmail) siberi >> 5097 ?? I 0:00.01 sendmail: server 98A73695.ipt.aol.com siberi >>[152.167.54.149] child wait (sendmail) siberi >> 5098 ?? I 0:00.02 sendmail: server 98A73695.ipt.aol.com siberi >>[152.167.54.149] cmd read (sendmail) siberi >> 5114 ?? I 0:00.01 sendmail: server 98CD4F2A.ipt.aol.com siberi >>[152.205.79.42] child wait (sendmail) siberi >> 5115 ?? I 0:00.02 sendmail: server 98CD4F2A.ipt.aol.com siberi >>[152.205.79.42] cmd read (sendmail) siberi >> 5116 ?? I 0:00.01 sendmail: server 98AA2318.ipt.aol.com siberi >>[152.170.35.24] child wait (sendmail) siberi >> 5117 ?? I 0:00.02 sendmail: server 98AA2318.ipt.aol.com siberi >>[152.170.35.24] cmd read (sendmail) siberi >> 5137 ?? I 0:00.01 sendmail: server ABD15CDE.ipt.aol.com siberi >>[171.209.92.222] child wait (sendmail) siberi >> 5138 ?? I 0:00.02 sendmail: server ABD15CDE.ipt.aol.com siberi >>[171.209.92.222] cmd read (sendmail) siberi >> 5149 ?? I 0:00.01 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] child wait (sendmail) siberi >> 5150 ?? I 0:00.02 sendmail: server 98C992C9.ipt.aol.com siberi >>[152.201.146.201] cmd read (sendmail) siberi >> 5158 ?? I 0:00.01 sendmail: server p359.gnt.com [204.49.91.167] siberi >>child wait (sendmail) siberi >> 5159 ?? I 0:00.02 sendmail: server p359.gnt.com [204.49.91.167] siberi >>cmd read (sendmail) siberi >> 5172 ?? I 0:00.01 sendmail: server pm4-249.dialup.flinet.com siberi >>[208.14.24.249] child wait (sendmail) siberi >> 5173 ?? I 0:00.02 sendmail: server pm4-249.dialup.flinet.com siberi >>[208.14.24.249] cmd read (sendmail) siberi >> siberi >>Is there anything I can do to stop this? siberi >> siberi >> siberi >> siberi >>To Unsubscribe: send mail to majordomo@FreeBSD.org siberi >>with "unsubscribe freebsd-security" in the body of the message siberi > siberi > siberi > siberi >------------------------------------------- siberi >Remember, ever ask a geek'why', siberi >just nod your head and back away slowly.. siberi > --CmdrTaco , http://www.slashdot.org/ siberi > siberi > siberi > siberi >To Unsubscribe: send mail to majordomo@FreeBSD.org siberi >with "unsubscribe freebsd-security" in the body of the message siberi > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9909211156120.552-100000>