Re: [FW-1] Loopback address spoofing

Subject:	Re: [FW-1] Loopback address spoofing
From:	"Demetrio Leon Guerrero (DLG)" <leong AT LATTESTONE DOT NET>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 20 Feb 2004 11:10:16 -0500

There is a domain on the internet named "youpy.fr" that has an MX record
pointing to 127.0.0.2.

   > set query=mx
   > youpy.fr

   Non-authoritative answer:
   youpy.fr        preference = 10, mail exchanger = 127.0.0.2


If you are running Sendmail on your Solaris system, check /var/log/syslog
and see if there are any messages to/from user AT youpy DOT fr.

Hackers are attempting to see if they can connect to your system through
loopback.

There are several ways to fix this problem:

  1.  Make sure Sendmail "anti-spam" features are enabled.  Create a
      blacklist and add "youpy.fr" into your black list.

  2.  Create an SMTP Resource (using the SMTP Security Server) and
      block messages to/from "youpy.fr".

Good Luck.


On Fri, 20 Feb 2004, [iso-8859-1] José María Gabaldón wrote:

> Hi guys,
>
> I have a little problem, we have a Solaris running Check Point NG FP3,
> and everything works fine. However in the logs we get continously (maybe
> every 20 seconds or so) a drop log message that says:
> Source: localhost
> Destination: FW_EXTERNAL_IP_ADDRESS
> Source port: http
> Action: DROP
> Reason: Loopback address spoofing.
>
> I guess what does this log entry means, could be some internal hacker
> trying to really spoof the loopback address of the firewall?, or maybe
> is just a misconfiugration?. If so, how can I troubleshoot the problem?
>
> I hope you can help me, thanks in advance!
> _______________________________
>
> José María Gabaldón
> Network Security Engineer
> email: jgabaldon AT cybertech.com DOT ve
> www.cybertech.com.ve
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Loopback address spoofing, José María Gabaldón Re: [FW-1] Loopback address spoofing, Demetrio Leon Guerrero (DLG) <= Re: [FW-1] Loopback address spoofing, Mark Pays Re: [FW-1] Loopback address spoofing, Crist Clark Re: [FW-1] Loopback address spoofing, Pendergrass, Greg Re: [FW-1] Loopback address spoofing, Covington, Chris Re: [FW-1] Loopback address spoofing, Crist Clark Re: [FW-1] Loopback address spoofing, Lars Higham Re: [FW-1] Loopback address spoofing, Edwin Davidson Re: [FW-1] Loopback address spoofing - explained, Edwin Davidson Re: [FW-1] Loopback address spoofing, Goldoff, Erik

Previous by Date:	[FW-1] FW: <No Subject>, Attila Szelezsan
Next by Date:	[FW-1] Rejecting infected email, Chris Harrington
Previous by Thread:	[FW-1] Loopback address spoofing, José María Gabaldón
Next by Thread:	Re: [FW-1] Loopback address spoofing, Mark Pays
Indexes:	[Date] [Thread] [Top] [All Lists]