Date: Wed, 10 Nov 1999 07:36:26 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited , on signal 4 Message-ID: <199911101536.HAA34906@cwsys.cwsent.com> In-Reply-To: Your message of "Sun, 07 Nov 1999 12:58:58 EST." <Pine.BSF.3.96.991107120929.6237A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.96.991107120929.6237A-100000@fledge.watson.org>, Robert Watson writes: > > Noticed this in my system log: > > Nov 6 18:47:25 fledge /kernel: pid 3988 (sendmail), uid 0: exited on > signal 4 > > This doesn't normally happen and is a bit concerning. > > fledge:~> telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 fledge.watson.org ESMTP Sendmail 8.9.3/8.9.3; Sun, 7 Nov 1999 12:27:54 > -0500 (EST) > > Which is the default version shipped in 3.3-RELEASE (or at least, this is > currently a vanilla 3.3-RELEASE box :-). > > I'm concerned this could be a buffer-based attack, but don't see any of > the signs of a successful compromise. Also, there were no signs of a > scan of other open ports at the time. > > Has anyone else seen any of these lately? It's very likely that there may be a buffer overrun being exploited on the Net and that whoever was attacking your machine may have been using an exploit engineered for Linux Sendmail or another version of FreeBSD. It is also possible that you may have bad memory in the box in question. Also possible is a FreeBSD bug that manifests itself under certain conditions, e.g. inetd and cron problems in <3.1. You may wish to consider installing the smtpd port. Obtuse Smtpd front- ends itself to Sendmail to provide an architecture similar to that of Qmail, except that Sendmail still needs to be setuid root if you wish to continue support executing programs via .forward. If that's not important to you, then you can make Sendmail setgid mail, making sure that /var/mail and /var/spool/mqueue are group mail writable. It also might be possible to write an application, similar to smrsh, that would securely invoke programs referenced in .forward files under each user's own id, entirely negating the need to have a setuid Sendmail. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911101536.HAA34906>