From owner-freebsd-security  Thu Aug 12 17:56:15 1999
Delivered-To: freebsd-security@freebsd.org
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
	by hub.freebsd.org (Postfix) with ESMTP id 9C2BA155B8
	for <security@freebsd.org>; Thu, 12 Aug 1999 17:56:10 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang (IDENT:ppp0.lariat.org@lariat.lariat.org [206.100.185.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id SAA14356
	for <security@freebsd.org>; Thu, 12 Aug 1999 18:54:18 -0600 (MDT)
Message-Id: <4.2.0.58.19990812185216.043c1160@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Thu, 12 Aug 1999 18:54:16 -0600
To: security@freebsd.org
From: Brett Glass <brett@lariat.org>
Subject: Another SMTP name-guessing attack
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Yesterday, one of the hosts I administer was subjected to an account name guessing attack. The attack does not appear to have been mounted via the a program previously mentioned on Bugtraq, but rather by a new program and/or by a homebrew script. Here's what the logs look like (I've changed the name of the host that was attacked, but nothing else):

Aug 11 211554 myhost sendmail[5107] VAA05107 <e2a2ae32g@myhost.com>... User unknown
Aug 11 211554 myhost sendmail[5107] VAA05107 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211601 myhost sendmail[5119] VAA05119 <mark@myhost.com>... User unknown
Aug 11 211601 myhost sendmail[5120] VAA05120 <brian3@myhost.com>... User unknown
Aug 11 211602 myhost sendmail[5119] VAA05119 <mark1@myhost.com>... User unknown
Aug 11 211602 myhost sendmail[5120] VAA05120 <brian4@myhost.com>... User unknown
Aug 11 211606 myhost sendmail[5120] VAA05120 <brian5@myhost.com>... User unknown
Aug 11 211607 myhost sendmail[5119] VAA05119 <mark2@myhost.com>... User unknown
Aug 11 211607 myhost sendmail[5126] VAA05126 <smith@myhost.com>... User unknown
Aug 11 211608 myhost sendmail[5126] VAA05126 <smith1@myhost.com>... User unknown
Aug 11 211610 myhost sendmail[5126] VAA05126 <smith2@myhost.com>... User unknown
Aug 11 211610 myhost sendmail[5135] VAA05135 <wilson3@myhost.com>... User unknown
Aug 11 211611 myhost sendmail[5137] VAA05137 <me@myhost.com>... User unknown
Aug 11 211611 myhost sendmail[5131] VAA05131 <3@myhost.com>... User unknown
Aug 11 211612 myhost sendmail[5132] VAA05132 <anderson3@myhost.com>... User unknown
Aug 11 211612 myhost sendmail[5126] VAA05126 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211612 myhost sendmail[5131] VAA05131 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211612 myhost sendmail[5137] VAA05137 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211612 myhost sendmail[5138] NOQUEUE Null connection from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5135] VAA05135 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5137] VAA05137 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5131] VAA05131 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5135] VAA05135 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5126] VAA05126 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5136] VAA05136 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5136] VAA05136 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=1, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5132] VAA05132 lost input channel from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5132] VAA05132 from=<msilvert85@hotmail.com>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5145] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe
Aug 11 211613 myhost sendmail[5145] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe
Aug 11 211613 myhost sendmail[5144] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe
Aug 11 211613 myhost sendmail[5144] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe
Aug 11 211613 myhost sendmail[5144] NOQUEUE Null connection from ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176]
Aug 11 211613 myhost sendmail[5148] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "220 myhost.myhost.com ESMTP Sendmail 8.9.3/8.9.3; Wed, 11 Aug 1999 211613 -0600 (MDT)" Broken pipe
Aug 11 211613 myhost sendmail[5148] NOQUEUE SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "250 myhost.myhost.com Hello ip176.albuquerque3.nm.pub-ip.psi.net [38.29.68.176], pleased to meet you" Broken pipe
Aug 11 211613 myhost sendmail[5119] VAA05119 SYSERR putoutmsg (ip176.albuquerque3.nm.pub-ip.psi.net) error on output channel sending "550 <mark3@myhost.com>... User unknown" Broken pipe
Aug 11 211613 myhost sendmail[5119] VAA05119 <mark3@myhost.com>... User unknown

In short, it's guessing at common first and last names -- alone and with the digits 1 through 5 appended. It's making a separate connection for each name but is trying the combinations with appended digits on the same connection as the "bare" name. It doesn't seem to be sending more RCPT TO: commands until it receives the results of earlier ones, nor does it seem to send more than 6 commands per connection -- clearly an attempt to get by the preventive measures installed to defeat earlier scans of this kind.

Has anyone else seen this style of attack, or are we honored to be the first? Any ideas on how to patch Sendmail to thwart it? (FreeBSD's particular configuration for Sendmail seems particularly susceptible to this because it imposes a limit on connections; all legitimate mail stopped during the attack.)

--Brett Glass 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message