[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] help with logcheck entries
- Subject: Re: [cobalt-users] help with logcheck entries
- From: "Andy Clyde, oxfordmusic.net" <andy.clyde@xxxxxxxxxxxxxxx>
- Date: Fri Oct 11 04:21:18 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
> Do you have any cron jobs running, say once an hour that forward mail to
> some other server.
> SMTP does lookups and may be causing the entries.
> Also, the lame server is giving bad information or it may not be
> authorative for the domain
>
no, i only have 2 cron jobs on the server i have been monitoring - one is
asp_monitor.sh and the other is a script that runs an asp script that tidies
up one of my databases. nothing that should involve email.
> well if its occuring at the same time each hour then sniff the traffic
just
> before by using snort like -
>
>
> and although you might catch some duff traffic you should see an entry in
> there like this -
>
</snip>
>
> again with ** as the requester and *** as your box.
>
> at least you can then track whos querying your DNS and it may provide you
> with a lead.
did this (piped the output to a temporary file). there's nothing in the file
that matched xtrac or the IP address listed in the log entry.
there is a load of ns stuff so i guess it's probably just some DNS server
doing its rounds and finding the lame server. not sure exactly how these
things work but its probably nothing to worry about, right?
andy