[POSSIBLE] System Attack - Finding the culprit?

[chy at genuity.com (Chuck Young)]

Phil,

I think I would look to see if I had received normal mail around that time.
If legit mail came through, then you may have a "false positive" (although
most dialup users should not normally be usually be running MTA's directly
from their PC's).  Not really sure why a newline is getting placed in that
position - lousy software?  maybe a home-built MTA script?  3 AM?  Who
knows?

Most of the dialinx network is used by corporate customers with road
warriors - not exactly hacker haven.  If, otoh, someone was diddling your
mail server, Genuity would very much like to know about it.  Our AUP forbids
most objectionable behavior.

If something bad is going on, I would recommend sending *everything* you
have which points to malicious behavior to "abuse at genuity.net" with your
contact information.  It's possible some person or program is haunting a
legitimate users box without him/her knowing it.

HTH,

----------------------
Chuck Young
Internet Systems Engineer
E-Services Consulting
Genuity Solutions
-----------------------------

> -----Original Message-----
> From: owner-discuss at Blu.Org [mailto:owner-discuss at Blu.Org]On Behalf Of
> Phil Buckley
> Sent: Sunday, August 26, 2001 11:39 AM
> To: discuss at Blu.Org
> Subject: System Attack - Finding the culprit?
>
>
> Looking through my email after a day off produced the following
> alert from one of the servers...
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Aug 25 03:28:56 galloproductions sendmail[21367]: NOQUEUE:
> POSSIBLE ATTACK from [4.54.118.112]: newline in string "trilluser^M "
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Aug 25 03:28:56 galloproductions sendmail[21367]: NOQUEUE:
> POSSIBLE ATTACK from [4.54.118.112]: newline in string "trilluser^M "
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Aug 25 03:28:56 galloproductions sendmail[21367]: NOQUEUE:
> POSSIBLE ATTACK from [4.54.118.112]: newline in string "trilluser^M "
> ==========================================================================
>
> So I wanted to see where the attack had originated at...
>
> #nslookup 4.54.118.112
> Name:    PPPa83-ResaleNewYorkMetroB1-1R7187.dialinx.net
> Address:  4.54.118.112
> ==================================================================
> =========
>
> Looks like a typical dialup account, so I try to figure out who
> gave the guy access...
>
> #    IP address       Host name
> Round trip time
> 1    4.54.144.12      Resale_Eastern_Ma3-3R7200.genuity2.net
>    187 ms
> 2    4.54.144.2       RE4-P14-BST-GNP-R1.genuity2.net              173 ms
> 3    204.166.35.74    RE4-P14-R1-pvc1-Hub1.genuity2.net            154 ms
> 4    4.24.94.1        p3-0.bstnma1-cr8.bbnplanet.net               155 ms
> 5    4.24.5.41        p6-0.bstnma1-ba1.bbnplanet.net               144 ms
> 6    4.24.7.117       p7-0.bstnma1-br1.bbnplanet.net               200 ms
> 7    4.24.6.50        p9-0.nycmny1-nbr2.bbnplanet.net              160 ms
> 8    4.24.10.209      p15-0.nycmny1-nbr1.bbnplanet.net             169 ms
> 9    4.24.8.162       p1-0.nycmny1-cr9.bbnplanet.net               171 ms
> 10   4.24.188.74      p6-1.dialinxny.bbnplanet.net                 185 ms
> 11   172.20.66.141    Unavailable                                  195 ms
> 12   4.54.116.15      Resale_New_York_MetroB1-1R7187.genuity2.net
>        220 ms
> 13   4.54.118.112
> PPPa83-ResaleNewYorkMetroB1-1R7187.dialinx.net      341 ms
>
> So, my question is... do I contact "genuity" to report this attack?
>
> Thanks,
> Phil
>
> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to discuss-request at blu.org (Subject line is ignored).

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).