|
-
August 6th, 2003, 04:28 AM
#1
 Sendmail ?..
I recently got my linux box online. I ran an nmap scan against myself and found only my ssh server port 111 sun rpc open. And then from my other windows box i ran GFI LANguard security scanner against the linux box to scan for vulnerabilities. But the funny thing is that it finds a mail server open ?? And I am 100 % sure that i didn't install a mail server on the box.. And the mail server ends in an extension of logs.proxy220.aol.com , when my linux box has absolutely nothing to do with aol whatsoever. I am a little confused on what is going on here , I mean it sais i am running sendmail when I am sure that it is not running.
I did ps -ax | grep sendmail and i still find nothing. No mail server ports open no nothing. Think someone might be able to help me out on what is going on here ? thanx..
"Serenity is not the absence of conflict, but the ability to cope with it."
-
August 6th, 2003, 11:46 AM
#2
What distro of Linux are you running?
Could you be running Postfix?
It is possible that the mail server is only bound to eth and not to the lo interface, but this seems unlikely.
try netstat -a | more on the suspect box to get a list of open and listening ports.
I'd be tempted to think the LANguard is in some way fubar.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
-
August 6th, 2003, 02:37 PM
#3
Member
Check to see if you have port 25 open on your box. If you do, then you have a mail server running. Do a 'ps aux' and see if you can find sendmail or some other mail server program running. If you do, check in your rc.init* files and comment out the command to start your mail server.
If we knew what distro of Linux you were running, we could give you a more precise command list.
-
August 6th, 2003, 07:46 PM
#4
At the time I am running Mandrake Linux 9.0. Even from the other box I ran Nmap and i found only my SSH server up. So there is no mail server running at the time.. But thanks for your replies so far.
"Serenity is not the absence of conflict, but the ability to cope with it."
-
August 6th, 2003, 09:18 PM
#5
GFI Languard is notorious for false positives. From the console on the Linux box, telnet to 127.0.0.1 25 and see if you get a SendMail banner. If that doesn't work, try it with the port that GFI is reporting SendMail is running on.
Do yourself a favor, get a hold of NESSUS. It is by far superior to GFI LanGuard.
www.nessus.org
You will need a Win32 and a *nix box but it sounds like you have it covered.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 10th, 2003, 10:11 PM
#6
Wow , sorry to get this thread active again. But there is a serious problem. I ran another security scanner against my system from a remote location and it still finds a mail server up and running , and the server has an aol host name. I am very very confused on what to do here. I even telnetted to the machine and was greeted by the sendmail daemon (this blew my mind). But when I run Nmap against the machine, it cannot find the mail server ? I have a feeling this can present me with a very big security risk. Can someone help me out a little bit more. What confuses me more is the fact that i put ALL:ALL in my /etc/hosts.deny file , but still it lets me in the mail server ? Could it be listening on a UDP port ? Well i've tried lots of things to figure this out, but im sure someone else can give me the lowdown , because I really don't want to get rooted by some kiddie and lose everything..
"Serenity is not the absence of conflict, but the ability to cope with it."
-
August 11th, 2003, 01:09 AM
#7
aol has a mail proxy. wether you have a server of not its going to show this. to see this for yourself if you have aol, netcat -vv or telnet to any address port 25.
like antionline.com 25:
antionline.com [63.146.109.212] 25 (smtp) open
220 logs-mtc-td.proxy.aol.com ESMTP Sendmail 8.12.9/8.12.9; Sun, 10 Aug 2003 20:
11:26 -0400 (EDT)
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
August 11th, 2003, 01:25 AM
#8
Yes AOL hooks all SMTP (port 25) to itself. I had a similar problem with Norton Antivirus (forget which version). Norton AV has inbound/outbound email scanning and hooks all outbound port 110 (POP3) requests to itself.
Well let me tell you this was a major pain in the but, as when I was doing security scans on my Lan, every server had a pop3 server running when I scanned from that machine. When I checked from another machine, they didnt.
Unfortunately, it didnt snap immediately for me, so i spent some useless time trying to figure out what was going on until it clicked.
Just remember, software and providers have the ability to redirect your traffic. So keep that in mind when running into these quirky issues.
Grinler
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
