[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] RaQ1: Hacker Login?
I've got the same problem, here's an extract from my secure log:
Mar 5 04:02:47 symbol ipop2d[8674]: connect from 130.251.169.187
Mar 5 04:02:47 symbol ipop2d[8673]: connect from 130.251.169.187
Mar 5 04:02:47 symbol ipop2d[8675]: connect from 130.251.169.187
Mar 5 04:02:47 symbol ipop2d[8676]: connect from 130.251.169.187
Mar 5 04:02:47 symbol ipop2d[8677]: connect from 130.251.169.187
Mar 5 04:02:47 symbol ipop2d[8678]: connect from 130.251.169.187
Mar 5 04:02:47 symbol ipop2d[8679]: connect from 130.251.169.187
Mar 5 04:02:47 symbol ipop2d[8680]: connect from 130.251.169.187
Mar 5 04:02:49 symbol ipop2d[8681]: connect from 130.251.169.187
Mar 5 04:02:49 symbol ipop2d[8682]: connect from 130.251.169.187
Mar 5 04:02:49 symbol ipop2d[8684]: connect from 130.251.169.187
Mar 5 04:02:49 symbol ipop2d[8683]: connect from 130.251.169.187
Mar 5 04:02:49 symbol ipop2d[8686]: connect from 130.251.169.187
Mar 5 04:02:49 symbol ipop2d[8685]: connect from 130.251.169.187
Mar 5 04:02:49 symbol ipop2d[8687]: connect from 130.251.169.187
Mar 5 04:02:50 symbol ipop2d[8688]: connect from 130.251.169.187
Mar 5 04:02:51 symbol ipop2d[8689]: connect from 130.251.169.187
Fortunately these are the only entries for 130.251.169.187. The domain seems
to be for a university in Italy - Universita' degli Studi di Genova.
-
Jason Wong
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Erik O
> Sent: 16 March 2000 03:57
> To: cobalt-users@xxxxxxxxxxxxxxx; cw
> Subject: Re: [cobalt-users] RaQ1: Hacker Login?
>
>
> I don't have customers in Italy. Couldn't be.
>
> What has me concerned is that all my pop connections refer to [qpopper]
> and I can't rest until I find out what this [ipop2d] this is that's
> allowing connections from .it
>
> Also, I've only had 2 connections to this service in that last month or
> so.
>
> Any ideas?
>
> Erik
>
> > cwickham@xxxxxxxxxxxxxxxx wrote:
> >
> > That looks like pop connections. But why it is in /var/log/secure I
> > don't know. From what I can tell that looks like nothing to worry
> > about. Just one of your customers poping their mail..... unless you
> > don't have any customers in Italy ;-)
> >
> > Charlie
> >
> > -----Original Message-----
> > From: Erik O [mailto:erik@xxxxxxxxx]
> > Sent: Wednesday, March 15, 2000 1:28 PM
> > To: cobalt-users@xxxxxxxxxxxxx; Brian Curtis; Mat Kovach; Joe Kerns
> > Subject: [cobalt-users] RaQ1: Hacker Login?
> >
> > I have a few strange logins recorded in /var/log/secure
> >
> > I can figure out what it is [ipop2d]. Here's the entry...
> >
> > Mar 13 18:55:37 ns ipop2d[21805]: connect from 207.253.51.131
> > Mar 13 18:55:37 ns ipop2d[21806]: connect from 207.253.51.131
> >
> > It has accepted connections from two IP's since the log rotated.
> >
> > 207.253.51.131
> > 130.251.169.187
> >
> > The last one resolves to ....
> > Name: ciclamino.dibe.unige.it
> >
> > I just don't like the looks of this. I can't seem to find this service
> >
> > running anywhere.
> >
> > Help? :)
> >
> > Erik
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>