[NTLUG:Discuss] alert from sendmail
Tom McDonald
tom at compuclaim.com
Sun Apr 25 16:54:11 CDT 2004
On Sun, 25 Apr 2004 11:04:12 -0500
Greg Edwards <greg at nas-inet.com> wrote:
> Anyone know what this means? Found it in my log report.
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Apr 24 20:00:32 mrytle sendmail[11148]: i3P10STn011148:
> from=<mcKeell at attack.ru>, size=651, class=0, nrcpts=1,
> msgid=<834a01c42a54$5dee0a3a$bea840ad at stagnum.fr>, proto=SMTP,
> daemon=MTA, relay=[211.190.91.79]
>
> TIA,
> --
> Greg Edwards
>
> Hosted Websites from New Age Software - http://www.nas-inet.com
> Anime, Manga, Lady Amaya - http://roseofcreation.nas-inet.com
> Coppell Texas - http://coppell.nas-inet.com
> Software Engineering - http://consult.nas-inet.com
>
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
Greg,
It looks like an attack alert from portsentry or maybe snort...
The MX receiver is myrtle (probably where the attck alert originates)
the from ID mckeell at attack.ru is a Joint "Stock Company in
Togliatti, Russia" (whatever a Joint Stock Company is ) Their whois has
a comment of "High Tech Attack" in their description field, and
the message was relayed from a site in Korea- probably an open
relay for spammers.....
No indication what the Attack Alert is for, I get about a million a day
scanning ports 135 and 445 but both /var/log/messages and
/var/log/mail/info tell me what the attack is, i.e portscan, login
attempt, etc.
If "Active System Attack Alerts" is in the body or subject of the
message, then it's just a hook to get you to their site.
Tom
----
Tom McDonald <tom at compuclaim.com>
Compuclaim Inc.
Have a nice day!
More information about the Discuss
mailing list