>> this is what you get if you *telnet* to the smtp port.  you can also
>> run sendmail in the same mode (eg, smtp) from the command line.
>
>Hm... Since the message said it came from "root@localhost", does this mean
>that someone broke in, obtained root, and ran sendmail from a root shell?
>My logs didn't say anything about anyone becoming root at that time - I was
>on, at the time, and I didn't notice anything strange.

well...*something* must have run sendmail that way.  one of my users
was "having a little trouble" (even if he didn't notice it (he says he
didn't), i did, from the logs) with the rbl maps code in the
sendmail.cf and this particular user wouldn't even consider running
sendmail like that, so i can only assume that something he did made it
do that.  he uses pine for mail...that's the only clue i've got.
maybe you were root at the time?

>> so-and-so@localhost is what you get when sendmail can't do a
>> getpeername() because it doesn't have one.  :)
>
>What other ways are there to get that, besides running sendmail from the
>command line? If that's the *only* way this error comes about, then it
>seems like perhaps someone did break in, although I have no other traces
>other than the mail logs. That would be a bit distressing. Root can't
>telnet in - the only way to become root (that I know of) is to log in at
>the console, or log in as a user in group wheel and su. For that to happen,
>someone would have to have two passwords, and that's really unlikely, since
>my root password has never gone out over the net, and it's a mixed-case
>monstrosity anyway.

yeah, i know.  i feel exactly the same way about it.

>Here's my typical batch of processes running as root:
>
>update, telnetd, sendmail, syslogd, cron, ksh, <ksh>, init, inetd,
><slattach>, <getty>, <portmap>

about the only one i can think that might have done that would be
cron.  somehow...

>I'd love to have more ideas... What's the most likely explanation for this:
>
>Dec 14 22:43:28 acheron sendmail[1464]: NOQUEUE: Null connection from
>root@localhost

the only way i can reproduce it is as i indicated earlier...

>??? I know I didn't run it myself from the command line.
>
>> fwiw - this was also a bug in paul vixie's rbl map code for sendmail.
>
>I don't believe I'm running that... I'm running a fairly stock sendmail setup.

i am.  too much spam.  it cuts it down a bit...  :)

-- 
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan)        * "ah!  i see you have the internet
codewarrior@daemon.org                               that goes *ping*!"
warfare@graffiti.com      * "information is power -- share the wealth."