Date: Wed, 10 Nov 1999 07:36:26 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited , on signal 4 Message-ID: <199911101536.HAA34906@cwsys.cwsent.com> In-Reply-To: Your message of "Sun, 07 Nov 1999 12:58:58 EST." <Pine.BSF.3.96.991107120929.6237A-100000@fledge.watson.org>
index | next in thread | previous in thread | raw e-mail
In message <Pine.BSF.3.96.991107120929.6237A-100000@fledge.watson.org>, Robert
Watson writes:
>
> Noticed this in my system log:
>
> Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited on
> signal 4
>
> This doesn't normally happen and is a bit concerning.
>
> fledge:~> telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 fledge.watson.org ESMTP Sendmail 8.9.3/8.9.3; Sun, 7 Nov 1999 12:27:54
> -0500 (EST)
>
> Which is the default version shipped in 3.3-RELEASE (or at least, this is
> currently a vanilla 3.3-RELEASE box :-).
>
> I'm concerned this could be a buffer-based attack, but don't see any of
> the signs of a successful compromise. Also, there were no signs of a
> scan of other open ports at the time.
>
> Has anyone else seen any of these lately?
It's very likely that there may be a buffer overrun being exploited on the
Net and that whoever was attacking your machine may have been using an
exploit engineered for Linux Sendmail or another version of FreeBSD.
It is also possible that you may have bad memory in the box in
question. Also possible is a FreeBSD bug that manifests itself under
certain conditions, e.g. inetd and cron problems in <3.1.
You may wish to consider installing the smtpd port. Obtuse Smtpd front-
ends itself to Sendmail to provide an architecture similar to that of
Qmail, except that Sendmail still needs to be setuid root if you wish
to continue support executing programs via .forward. If that's not
important to you, then you can make Sendmail setgid mail, making sure
that /var/mail and /var/spool/mqueue are group mail writable. It also
might be possible to write an application, similar to smrsh, that would
securely invoke programs referenced in .forward files under each user's
own id, entirely negating the need to have a setuid Sendmail.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca
ITSD Cy.Schubert@gems8.gov.bc.ca
Province of BC
"e**(i*pi)+1=0"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911101536.HAA34906>