[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Possibly OT: Maillog entries missing

Subject: [cobalt-users] Possibly OT: Maillog entries missing
From: "Edward Bishop" <eddie@xxxxxxxxxxxxxxxx>
Date: Fri Jan 4 10:44:26 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi all

This refers to a RedHat 6.1 server, not my RaQ, but I think it's relevant to
this list. If it's not, sorry. I've been trying out other general Linux
lists and forums but I can't find one as active/helpful as this.

A few hours ago my maillog stopped recording "To" lines, then this morning
stopped showing POP logins. The "From" line for each email, whether incoming
or outgoing, still appears, and there are a lot of "Port 110 service init"s.

During the day before this happened, a few worrying things appeared in
messages - for example

Jan  3 03:38:24 ns ftpd: modemcable002.222-203-24.mtl.mc.videotron.ca:
connected: IDLE

Jan  3 06:04:48 ns ftpd[25875]: ACCESS DENIED (not in any class) TO
modemcable002.222-203-24.mtl.mc.videotron.ca [24.203.222.2]
Jan  3 06:04:48 ns ftpd[25875]: FTP LOGIN REFUSED (access denied) FROM
modemcable002.222-203-24.mtl.mc.videotron.ca [24.203.222.2], anonymous

Jan  3 19:59:04 ns sshd[27240]: log: Connection from 194.6.9.132 port 1808
Jan  3 19:59:04 ns sshd[27240]: log: Could not reverse map address
194.6.9.132.
Jan  3 19:59:05 ns sshd[27240]: fatal: Local: Corrupted check bytes on
input.
Jan  3 19:59:05 ns sshd[27241]: log: Connection from 194.6.9.132 port 1809
Jan  3 19:59:05 ns sshd[27241]: log: Could not reverse map address
194.6.9.132.
Jan  3 19:59:06 ns sshd[27242]: log: Connection from 194.6.9.132 port 1810

(Loads more of this with the port number incrementing, then a few like
this:)

Jan  3 20:00:17 ns sshd[27310]: log: Could not reverse map address
194.6.9.132.
Jan  3 20:00:20 ns sshd[27310]: fatal: Local: crc32 compensation attack:
network attack detected
Jan  3 20:00:20 ns sshd[27311]: log: Connection from 194.6.9.132 port 1861

Clearly this is some swine scanning for vulnerabilities. I'd be grateful for
any suggestions as to how I can find out if they've been successful, or
where I should start looking to find out what's wrong with maillog. I'm
concerned that the server is being used to send spam and tracks being
covered.


--
Eddie

Follow-Ups:
- Re: [cobalt-users] Possibly OT: Maillog entries missing
  - From: SM

Prev by Date: Re: [cobalt-users] Problems with Webalizer
Next by Date: Re: [cobalt-users] Setting a Seconday DNS Server - Help Please
Previous by thread: Re: [cobalt-users] CDONTS and ASP for RaQ4
Next by thread: Re: [cobalt-users] Possibly OT: Maillog entries missing

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index