On Fri, Feb 16, 2001 at 11:40:31AM +0100, Boris Lorenz wrote:
On 15-Feb-01 Togan Muftuoglu wrote:
Active System Attack Alerts
Feb 15 19:14:16 isguzar sendmail[1559]: f1FHEAM01558: Truncated MIME Content-Disposition header due to field size (possible attack)
Ok I have checked all the logs but could not found any critacal accept output from SuSE firewall 4.2 logs
Patched and/or newer versions of sendmail are fixed and place some hints about such attack attempts in your syslog.
On the other hand, there are some known problems with (older?) sendmail versions (<8.11.0/2) and MS Outlook 2000 and its MIME handling. If you have nodes in your network using this software you may perform some more testing. Send mails with attachements and watch your logfiles.
sendmail is 8.11.0 IIRC thel latest one from suse ftp for Suse 7.0. There are no MSwindows nodes in the network. having a look to the problem mail (which I found) it is HTML with lots of activelink request to adds, remote cgi servers anything you can imagine which all want a connection to the internet.
Any other places I have to look ?
<smartass'ing> If you'd installed some network intrusion detection tool (like snort, www.snort.org) you would have had more information! </smartass'ing>
Currently I am using portsentry with logcheck and I was thinking that portsentry would give good information which it did not. Maybe I should look more in detail to snort Thanks for the light -- Togan Muftuoglu