[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] More Lame Server Thoughts & Help with Log "Security Violation" Message
- Subject: [cobalt-users] More Lame Server Thoughts & Help with Log "Security Violation" Message
- From: "Jeremy Kettelhohn" <jkettelhohn@xxxxxxxxxxxxxx>
- Date: Thu Feb 1 07:46:11 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Message: 10
> From: "Rick Ewart" <cobalt@xxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Date: Thu, 1 Feb 2001 07:55:59 -0500
> Subject: [cobalt-users] More Lame Server Thoughts & Help with Log
"Security Violation" Message
> Reply-To: cobalt-users@xxxxxxxxxxxxxxx
>
> Hello all.
>
> Regarding your thread earlier with Carrie about Lame Servers, and my guess
> that they might be related to hacking attempts, I submit the following for
> comments. I received 2 lame sever messages, each apparently re a different
> IP, 3 seconds before a port scan on my machine from that same IP.... See
> below log messages:
>
> Jan 31 16:53:57 www named[746]: Lame server on
'132.48.58.211.in-addr.arpa'
> (in '58.211.in-addr.arpa'?): [147.47.1.1].53 'ns.kren.nm.kr'
> Jan 31 16:53:57 www named[746]: Lame server on
'132.48.58.211.in-addr.arpa'
> (in '58.211.in-addr.arpa'?): [134.75.30.1].53 'ns.kreonet.re.kr'
> Jan 31 16:54:00 www portsentry[1386]: attackalert: SYN/Normal scan from
> host: 211.58.48.132/211.58.48.132 to TCP port: 111
>
> ALSO, I need help to see if anyone knows what this means, in English.... I
> regularly (every 15 min) get the following in my log, which is obviously
> related to active monitor checking my sendmail:
>
> Jan 31 16:30:03 www sendmail[13756]: NOQUEUE: localhost [127.0.0.1] did
not
> issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> HOWEVER, today I received the following in my log (first time I have seen
it
> where it is not from the loopback IP). Oddly enough it happens to be from
a
> network in the same business as my clients (actually one part of their
> organization sorta "competes" with me). Anybody know why/how this came
> about? There were no login errors or anything like that. FYI - it is
> entirely possible that they were sending mail to a client - they probably
do
> this fairly often, but nobody else causes this error.
>
> Jan 31 16:33:36 www sendmail[13899]: NOQUEUE: [208.139.215.51] did not
issue
> MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> Comments and thoughts are greatly appreciated.
> Rick Ewart
>
>
Ok from what i understand Lame server can be a DNS name that doesn't
resolve to a reachable IP. I notice your running port sentry. The NOQUEUE
error I get that both on my cobalt and my red hat box at home. For me it
is when a port scan using say superscan 2.06 produces that message. Because
it is a active port on your system portsentry doesn't pick it up as a
attack.
I can duplicate the error by doing
from a shell do - last -f messages
make sure the computer your going to portscan from is allowed by portsentry.
Then portscan from 1-200 and you'll see the message pop up, or portscan the
port itself. Not immediatly but it will show up within 5 minutes.