HPE Community
Operating System - Linux
1827724 Members
2787 Online
109968 Solutions
New Discussion

Re: Sendmail mischief

 
SOLVED
Go to solution
Vernon Brown_4
Trusted Contributor

‎03-04-2004 07:00 AM

‎03-04-2004 07:00 AM

Sendmail mischief

The following snippit from netstat output shows an SMTP connection that has been ESTABLISHED for about a half hour now. Who can suggest how I might figure out what he's up to. Maillog shows no entries for this IP.



[veb@linda veb]$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 cabot-biz.com:smtp 210.117.89.197:4857 ESTABLISHED
tcp 0 81 linda.local:telnet veb.local:32853 ESTABLISHED
0 Kudos
Reply
6 REPLIES 6
James A. Donovan
Honored Contributor

‎03-04-2004 08:22 AM

‎03-04-2004 08:22 AM

Re: Sendmail mischief

http://www.apnic.net/apnic-bin/whois.pl

From a whois lookup, the IP address, 210.117.89.197, belongs to a range designated to the Thrunet company in South Korea.

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 210.116.0.0 - 210.123.255.255
netname: KRNIC-KR
descr: KRNIC
descr: Korea Network Information Center
country: KR
admin-c: HM127-AP
tech-c: HM127-AP
remarks: ******************************************
remarks: KRNIC is the National Internet Registry
remarks: in Korea under APNIC. If you would like to
remarks: find assignment information in detail
remarks: please refer to the KRNIC Whois DB
remarks: http://whois.nic.or.kr/english/index.html
remarks: ******************************************
mnt-by: APNIC-HM
mnt-lower: MNT-KRNIC-AP
changed: hostmaster@apnic.net 19961126
changed: hostmaster@apnic.net 20010606
status: ALLOCATED PORTABLE
source: APNIC

person: Host Master
address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address: Seoul, Korea, 137-857
country: KR
phone: +82-2-2186-4500
fax-no: +82-2-2186-4496
e-mail: hostmaster@nic.or.kr
nic-hdl: HM127-AP
mnt-by: MNT-KRNIC-AP
changed: hostmaster@nic.or.kr 20020507
source: APNIC

inetnum: 210.117.89.0 - 210.117.89.255
netname: THRUNET-INFRA-KR
descr: Thrunet Co., Ltd (THRUNET)
descr: 1337-20 Seocho-2dong, Seocho-ku
descr: SEOUL
descr: 137-072
country: KR
admin-c: NM965-KR
tech-c: YH1111-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20040112
source: KRNIC

person: Noh myung sun
descr: Thrunet Co., Ltd (THRUNET)
descr: 1337-20 Seocho-2dong, Seocho-ku
descr: SEOUL
descr: 137-072
country: KR
phone: +82-2-3488-8452
e-mail: ip@thrunet.com
nic-hdl: NM965-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20040112
source: KRNIC

person: YU Hye Sook
descr: Thrunet Co., Ltd (THRUNET)
descr: 1337-20 Seocho-2dong, Seocho-ku
descr: SEOUL
descr: 137-072
country: KR
phone: +82-2-3488-8452
e-mail: ip@thrunet.com
nic-hdl: YH1111-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20040112
source: KRNIC
Remember, wherever you go, there you are...
Reply
Vernon Brown_4
Trusted Contributor

‎03-04-2004 08:56 AM

‎03-04-2004 08:56 AM

Re: Sendmail mischief

Thanks for your efforts. I did the dig -x and whois stuff.

I'm really searching for tools that might give a more detailed look into who's doing what in sendmail.

Thanks for any help.
0 Kudos
Reply
James A. Donovan
Honored Contributor

‎03-04-2004 09:58 AM

‎03-04-2004 09:58 AM

Solution

Re: Sendmail mischief

..ahhh...then you could use ethereal to capture and analyze any packets being sent to/from that address.

If you don't have it you can download it from here.

http://www.ethereal.com
Remember, wherever you go, there you are...
Reply
Steven E. Protter
Exalted Contributor

‎03-05-2004 02:42 AM

‎03-05-2004 02:42 AM

Re: Sendmail mischief

I've noticed a number of problems with users in Korea attempting driect port 25 connections onto my box.

The problem has been drasticallhy reduced by my upgrade to Red HAt Enterprise ES release 1. Fedora Core is equivalent.

I have added this ip address range to my /etc/mail/access list. They don't get on my server any more.

I reccomend the following entry added to /etc/sysconfig/iptables configuration:

-A INPUT -i eth0 -p tcp -s --dport 25 -j DROP

or

-A INPT -i eth0 -p ALL -s -j DROP

SEP

-A
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎03-05-2004 02:43 AM

‎03-05-2004 02:43 AM

Re: Sendmail mischief

Correction:

A INPUT -i eth0 -p tcp -s --dport 25 -j DROP

or

-A INPUT -i eth0 -p ALL -s -j DROP

service iptables restart

Same basic idea with ipchains, different syntax.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Vernon Brown_4
Trusted Contributor

‎03-05-2004 02:55 AM

‎03-05-2004 02:55 AM

Re: Sendmail mischief

Thanks Steven; I'm still using ipchains on my server. Your ipchains to iptables instructions are printed out and laying here on my desk. Switching over is on my todo list.

I'll try blocking the IP in ipchains for now.

Vern
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.