Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Nov 1999 07:36:26 -0800
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Robert Watson <robert+freebsd@cyrus.watson.org>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited , on signal 4 
Message-ID:  <199911101536.HAA34906@cwsys.cwsent.com>
In-Reply-To: Your message of "Sun, 07 Nov 1999 12:58:58 EST." <Pine.BSF.3.96.991107120929.6237A-100000@fledge.watson.org> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.96.991107120929.6237A-100000@fledge.watson.org>, Robert 
Watson writes:
> 
> Noticed this in my system log:
> 
> Nov  6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited on
> signal 4
> 
> This doesn't normally happen and is a bit concerning.
> 
> fledge:~> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 fledge.watson.org ESMTP Sendmail 8.9.3/8.9.3; Sun, 7 Nov 1999 12:27:54
> -0500 (EST)
> 
> Which is the default version shipped in 3.3-RELEASE (or at least, this is
> currently a vanilla 3.3-RELEASE box :-).
> 
> I'm concerned this could be a buffer-based attack, but don't see any of
> the signs of a successful compromise.  Also, there were no signs of a
> scan of other open ports at the time.
> 
> Has anyone else seen any of these lately?

It's very likely that there may be a buffer overrun being exploited on the 
Net and that whoever was attacking your machine may have been using an 
exploit engineered for Linux Sendmail or another version of FreeBSD.

It is also possible that you may have bad memory in the box in 
question.  Also possible is a FreeBSD bug that manifests itself under 
certain conditions, e.g. inetd and cron problems in <3.1.

You may wish to consider installing the smtpd port.  Obtuse Smtpd front-
ends itself to Sendmail to provide an architecture similar to that of 
Qmail, except that Sendmail still needs to be setuid root if you wish 
to continue support executing programs via .forward.  If that's not 
important to you, then you can make Sendmail setgid mail, making sure
that /var/mail and /var/spool/mqueue are group mail writable.  It also 
might be possible to write an application, similar to smrsh, that would 
securely invoke programs referenced in .forward files under each user's 
own id, entirely negating the need to have a setuid Sendmail.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Sun/DEC Team, UNIX Group    Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC
                      "e**(i*pi)+1=0"





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911101536.HAA34906>