[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Security Problem?

Subject: Re: [cobalt-users] Security Problem?
From: "Al-Juhani" <aljuhani@xxxxxxxxx>
Date: Mon Aug 19 10:05:57 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

I have similar entries in my /var/log/messages when I had the Security Hardening on Logging mode.  I'm not sure but I think this alertme function is logging into localhost as a root.  I noticed when I login ssh that my last logins displayed is different from my actual and there is no IP address or hostname shown.  Also when I checked the source of the portscan alert message, it shows that it was sent from root@localhost !.

here is my log below:--------

Aug 18 14:35:36 ns paflogd[2031]: Cobalt Networks, Inc. 
Aug 18 14:35:36 ns paflogd[2031]: Phoenix Adaptive Firewall Log Daemon version 0.0.0 (V0207.10N4) 
Aug 18 14:35:36 ns pafalertd: Alert Server starting
Aug 18 14:35:36 ns pafalertd: Logging: alertme 1, actionlevel 0
Aug 18 14:35:36 ns pafalertd: Email: admin
Aug 18 14:35:36 ns pafalertd: another process is already active: pid = 1180
Aug 18 14:35:36 ns pafmgr[2032]: /usr/sbin/pafalertd[2036] terminated, restarting
Aug 18 14:35:36 ns modprobe: modprobe: Can't locate module eth2
Aug 18 14:35:41 ns pafalertd: Alert Server starting
Aug 18 14:35:41 ns pafalertd: Logging: alertme 1, actionlevel 0
Aug 18 14:35:41 ns pafalertd: Email: admin
Aug 18 14:35:41 ns pafalertd[2042]: Logging: alertme 1, actionlevel 0
Aug 18 14:35:41 ns pafalertd[2042]: Email: admin

Al-Juhani
aljuhani@xxxxxxxxx

----- Original Message ----- 
From: "Stephen Fletcher" <stephen.fletcher11@xxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Monday, August 19, 2002 12:01
Subject: [cobalt-users] Security Problem?


> Hi,
> 
> Please can anyone help, today out of the blue I received the following warnings in my log, please could anyone advise on what might have happened. I have the new Security Hardening Update on my Raq4.
> 
> Aug 18 04:30:03 www pidof[31879]: can't get program name from /proc/31877/stat 
> Aug 18 04:54:14 www pafalertd[1055]: Lets send some email
> Aug 18 04:55:18 www pafalertd[1055]: Lets send some email
> Aug 18 04:56:19 www pafalertd[1055]: Lets send some email
> Aug 18 04:57:30 www pafalertd[1055]: Lets send some email
> Aug 18 19:09:56 www paflogd[1049]: SIGTERM
> Aug 18 19:09:56 www paflogd[1645]: Cobalt Networks, Inc. 
> Aug 18 19:09:56 www pafalertd: Alert Server starting
> Aug 18 19:09:56 www paflogd[1645]: Phoenix Adaptive Firewall Log Daemon version 0.0.0 (V0207.10N4) 
> Aug 18 19:09:56 www pafalertd: Logging: alertme 1, actionlevel 0
> Aug 18 19:09:56 www pafalertd: Email: admin,stephen.fletcher11@xxxxxxxxxxxx
> Aug 18 19:09:56 www pafalertd: another process is already active: pid = 1053
> Aug 18 19:09:56 www pafmgr[1643]: /usr/sbin/pafalertd[1646] terminated, restarting
> Aug 18 19:09:56 www modprobe: modprobe: Can't locate module eth2
> Aug 18 19:10:01 www pafalertd: Alert Server starting
> Aug 18 19:10:01 www pafalertd: Logging: alertme 1, actionlevel 0
> Aug 18 19:10:01 www pafalertd: Email: admin,stephen.fletcher11@xxxxxxxxxxxx
> Aug 18 19:10:01 www pafalertd[1654]: Logging: alertme 1, actionlevel 0
> Aug 18 19:10:01 www pafalertd[1654]: Email: admin,stephen.fletcher11@xxxxxxxxxxxx
> Aug 19 04:02:25 www syslogd 1.3-3: restart.
> 
> Regards,
> 
> Stephen Fletcher
> stephen.fletcher11@xxxxxxxxxxxx

Prev by Date: RE: [cobalt-users] [RaQ 4] Domain Directing
Next by Date: Re: [cobalt-users] Raq4 Patch update missing?
Previous by thread: [cobalt-users] Security Problem?
Next by thread: [cobalt-users] Virtual server configuration (mail)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index