[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Logcheck report

Subject: [cobalt-users] Logcheck report
From: "Todd Kirk" <tkirk@xxxxxxxxxxxxxx>
Date: Tue May 29 12:29:38 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hello all,

I have installed LogCheck-1.1.1 onto my Raq4r following every instruction
from the useful guide I found at UK2Raq.
Here is the guide I followed
http://www.uk2raq.com/raqfaq/raqfaqshow.php?faq=45

Everything seemed to work out perfectly with the install of LogCheck.

Does anybody know how to read / determine if the emails sent by LogCheck are
saying my Cobalt has been compromised or not?
I get a lot of this in a typical report...

----------------------------------------------------------------------------

Security Violations
=-=-=-=-=-=-=-=-=-=
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
130.228.165.in-addr.arpa) from [165.228.129.5].53
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
130.228.165.in-addr.arpa) from [165.228.129.5].53
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
129.228.165.in-addr.arpa) from [165.228.129.5].53
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
129.228.165.in-addr.arpa) from [165.228.129.5].53

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
May 30 04:02:54 www syslogd 1.3-3: restart.
May 30 04:06:58 www named[394]: Lame server on 'ns.cqcqptt.net.cn' (in
'cqcqptt.net.cn'?): [61.128.128.68].53 'ns.cta.net.cn'
May 30 04:07:10 www named[394]: Lame server on '39.195.98.202.in-addr.arpa'
(in '195.98.202.in-addr.arpa'?): [202.98.192.68].53 'ns.gzgyptt.net.cn'
May 30 04:07:13 www named[394]: Lame server on '156.74.142.61.in-addr.arpa'
(in '142.61.in-addr.arpa'?): [202.96.134.133].53 'ns.szptt.net.cn'
May 30 04:07:15 www named[394]: Lame server on '156.74.142.61.in-addr.arpa'
(in '142.61.in-addr.arpa'?): [202.96.128.68].53 'dns.guangzhou.gd.cn'
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
130.228.165.in-addr.arpa) from [165.228.129.5].53
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
130.228.165.in-addr.arpa) from [165.228.129.5].53
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
129.228.165.in-addr.arpa) from [165.228.129.5].53
May 30 04:08:40 www named[394]: bad referral (228.165.in-addr.arpa !<
129.228.165.in-addr.arpa) from [165.228.129.5].53
May 30 04:08:41 www named[394]: Lame server on '26.177.126.131.in-addr.arpa'
(in '126.131.in-addr.arpa'?): [137.39.1.3].53 'NS.UU.NET'
May 30 04:15:02 www proftpd[12390]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session opened.
May 30 04:15:02 www proftpd[12390]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session closed.
May 30 04:30:01 www proftpd[12977]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session opened.
May 30 04:30:01 www proftpd[12977]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session closed.
May 30 04:45:00 www proftpd[13562]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session opened.
May 30 04:45:00 www proftpd[13562]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session closed.
May 30 04:50:26 www named[394]: Cleaned cache of 17 RRsets
May 30 04:50:26 www named[394]: USAGE 991162226 991144226 CPU=0.27u/0.09s
CHILDCPU=0u/0s
May 30 04:50:26 www named[394]: NSTATS 991162226 991144226 A=11 CNAME=1
SOA=172 PTR=223 MX=3 ANY=15
May 30 04:50:26 www named[394]: XSTATS 991162226 991144226 RR=496 RNXD=25
RFwdR=250 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=7 ROpts=0 SSysQ=185
SAns=362 SFwdQ=209 SDupQ=42 SErr=0 RQ=425 RIQ=0 RFwdQ=209 RDupQ=0 RTCP=0
SFwdR=250 SFail=0 SFErr=0 SNaAns=205 SNXD=36 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
May 30 05:00:01 www proftpd[14153]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session opened.
May 30 05:00:01 www proftpd[14153]: www.mydomain.com.au
(localhost[127.0.0.1]) - FTP session closed.
----------------------------------------------------------------------------

None of the IP's listed in this report are mine and for obvious reasons I
have removed my host and domain names.

I have read through the archives for this list and believe the lines by
proftpd ending in '- FTP session opened/closed.' are the active monitor, how
do I learn to suppress these or any lines in the report...

I just don't know how to read my hourly report...

Any help?
Thanks in advance...




regards,

Todd Kirk

Follow-Ups:
- RE: [cobalt-users] Logcheck report
  - From: Tim Lawson
- Re: [cobalt-users] Logcheck report
  - From: Glen Scott

Prev by Date: Re: [cobalt-users] how to get streaming video up
Next by Date: Re: [cobalt-users] Who is sending mail?
Previous by thread: [cobalt-users] Finding/Changing Site Usage Reports
Next by thread: RE: [cobalt-users] Logcheck report

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index