[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] sendmail hack?

--- Sean Ward <planxty@xxxxxxxx> wrote:
> 
> I have an entry in the logs like this:
> 
> 7 04:44:02 ns sendmail[306]: NOQUEUE: Null
> connection from
> 24-90-190-122.nyc.rr.com [24.90.190.122] Oct  7
> 05:00:40 ns
> in.qpopper[972]: (v?)
> 
> Followed by a legitimate pop login
> 
> After this, several logcheck files are considerably
> reduced (3K) and
> only show the following info:
> 
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Oct  7 05:30:45 ns named[554]: Cleaned cache of 19
> RRsets
> Oct  7 05:30:45 ns named[554]: USAGE 1033986645
> 1033109953
> CPU=5.73u/3.09s CHILDCPU=0u/0s Oct  7 05:30:45 ns
> named[554]: NSTATS
> 1033986645 1033109953 A=1716 NS=1 CNAME=6 SOA=3
> PTR=2292 MX=971 TXT=1
> AAAA=238 38=228 ANY=764 Oct  7 05:30:45 ns
> named[554]: XSTATS 1033986645
> 1033109953 RR=3246 RNXD=92 RFwdR=2005 RDupR=0
> RFail=5 RFErr=0 RErr=1
> RAXFR=0 RLame=10 ROpts=0 SSysQ=1071 SAns=6905
> SFwdQ=1476 SDupQ=134
> SErr=0 RQ=7039 RIQ=1 RFwdQ=1476 RDupQ=3 RTCP=0
> SFwdR=2005 SFail=0
> SFErr=0 SNaAns=3319 SNXD=137 RUQ=0 RURQ=0 RUXFR=0
> RUUpd=0
> 
> As well, virtual sites were unavailable for a period
> of time and the
> legitimate POP logins did not function.
> 
> Any ideas what I should do next?
> 
> Thanks,
> 
> Sean
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
>
http://list.cobalt.com/mailman/listinfo/cobalt-security
I know this isn't much help, but I've seen the same
person show up in my logs, quite a few times....BTW,
they have a Netopia router at that IP address, OPEN to
the public......nudge, nudge, wink, wink........


__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com