topic Re: Sendmail mischief in Operating System - Linux

Sendmail mischief

Vernon Brown_4 — Thu, 04 Mar 2004 15:00:52 GMT

The following snippit from netstat output shows an SMTP connection that has been ESTABLISHED for about a half hour now. Who can suggest how I might figure out what he's up to. Maillog shows no entries for this IP.

[veb@linda veb]$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 cabot-biz.com:smtp 210.117.89.197:4857 ESTABLISHED
tcp 0 81 linda.local:telnet veb.local:32853 ESTABLISHED

Re: Sendmail mischief

James A. Donovan — Thu, 04 Mar 2004 16:22:26 GMT

http://www.apnic.net/apnic-bin/whois.pl

From a whois lookup, the IP address, 210.117.89.197, belongs to a range designated to the Thrunet company in South Korea.

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 210.116.0.0 - 210.123.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: hostmaster@apnic.net 19961126
changed: hostmaster@apnic.net 20010606
status: ALLOCATED PORTABLE
source: APNIC

person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail: hostmaster@nic.or.kr
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: hostmaster@nic.or.kr 20020507
source: APNIC

inetnum: 210.117.89.0 - 210.117.89.255
netname: THRUNET-INFRA-KR
descr: Thrunet Co., Ltd (THRUNET)
descr: 1337-20 Seocho-2dong, Seocho-ku
descr: SEOUL
descr: 137-072
country: KR
admin-c: NM965-KR
tech-c: YH1111-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20040112
source: KRNIC

person: Noh myung sun
descr: Thrunet Co., Ltd (THRUNET)
descr: 1337-20 Seocho-2dong, Seocho-ku
descr: SEOUL
descr: 137-072
country: KR
phone: +82-2-3488-8452
e-mail: ip@thrunet.com
nic-hdl: NM965-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20040112
source: KRNIC

person: YU Hye Sook
descr: Thrunet Co., Ltd (THRUNET)
descr: 1337-20 Seocho-2dong, Seocho-ku
descr: SEOUL
descr: 137-072
country: KR
phone: +82-2-3488-8452
e-mail: ip@thrunet.com
nic-hdl: YH1111-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20040112
source: KRNIC

Re: Sendmail mischief

Vernon Brown_4 — Thu, 04 Mar 2004 16:56:37 GMT

Thanks for your efforts. I did the dig -x and whois stuff.

I'm really searching for tools that might give a more detailed look into who's doing what in sendmail.

Thanks for any help.

Re: Sendmail mischief

James A. Donovan — Thu, 04 Mar 2004 17:58:24 GMT

..ahhh...then you could use ethereal to capture and analyze any packets being sent to/from that address.

If you don't have it you can download it from here.

http://www.ethereal.com

Re: Sendmail mischief

Steven E. Protter — Fri, 05 Mar 2004 10:42:00 GMT

I've noticed a number of problems with users in Korea attempting driect port 25 connections onto my box.

The problem has been drasticallhy reduced by my upgrade to Red HAt Enterprise ES release 1. Fedora Core is equivalent.

I have added this ip address range to my /etc/mail/access list. They don't get on my server any more.

I reccomend the following entry added to /etc/sysconfig/iptables configuration:

-A INPUT -i eth0 -p tcp -s --dport 25 -j DROP

or

-A INPT -i eth0 -p ALL -s -j DROP

SEP

-A

Re: Sendmail mischief

Steven E. Protter — Fri, 05 Mar 2004 10:43:06 GMT

Correction:

A INPUT -i eth0 -p tcp -s --dport 25 -j DROP

or

-A INPUT -i eth0 -p ALL -s -j DROP

service iptables restart

Same basic idea with ipchains, different syntax.

SEP

Re: Sendmail mischief

Vernon Brown_4 — Fri, 05 Mar 2004 10:55:28 GMT

Thanks Steven; I'm still using ipchains on my server. Your ipchains to iptables instructions are printed out and laying here on my desk. Switching over is on my todo list.

I'll try blocking the IP in ipchains for now.

Vern