[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] RaQ3 - strange message from system logs, hacker??
- Subject: RE: [cobalt-users] RaQ3 - strange message from system logs, hacker??
- From: "Dee Dreslough" <dee@xxxxxxxxxxx>
- Date: Wed Mar 7 04:42:08 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
>I have been seeing this in my logs, is this normal or could it be hacker
>droppings left behind from when our server was compromised a couple of
weeks
>ago. I noticed this after installing port sentry and log check. The only
>thing I have seen in crontab that runs at these times is SWATCH. and there
>is nothing in my 'cron.quarter-hourly' directory. If anyone could shed some
>light on this, it would be greatly appreciated.
>
>Mar 2 16:15:01 www imapd[31566]: Login failure user=Active_Monitor_69
>host=localhost [127.0.0.1]
>Mar 2 16:30:01 www imapd[32229]: Login failure user=Active_Monitor_69
>host=localhost [127.0.0.1]
Oh, oh! Mr. Kotttttter! I think I know the answer to this one! (Raising hand
like Arnold Horschack)
The Active_Monitor is something in your RAQ that checks to make sure your
various daemons/servers are running. If your web site goes down, or mail
server fails, it's this little checker-program that will trigger an email to
you to let you know. It's normal, even healthy, to get these messages. If
you want to omit them from your reports, just add Active_Monitor_69 to your
logcheck.violations.ignore file and they'll disappear.
(And for those of you too young to know, or who live in Europe or outside
the USA...the Mr. Kotter reference is from the show "Welcome Back Kotter".
:) )
-Dee Dreslough
Raq newb...Journeywoman? :)