Security Incidents mailing list archives
Re: Maillog Suspicious
From: chrisr () VERIMAIL COM (Christopher Rhodes)
Date: Wed, 12 Jan 2000 10:23:44 -0700
Oh, I didn't notice the debug command in there, it is too early. This mailer also didn't wrap those lines. It looks like your server is set up ok to me. You might want to contact this guys administrator, and get him kicked off his account. ------------------------------------------------------------------------- "Note: The information contained in this message and any attachments to it may be privileged and confidential. If the reader of this message is not the intended recipient or the recipient's appointed agent, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer." ------------------------------------------------------------------------- On Wed, 12 Jan 2000, flirtingboy20 wrote:
Hi all, I am a bit new to Linux Administrator, and are trying my best to make my box very secure. So I've looked at my log files in /var/log and found something very strange. Here is the log: Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] (212.160.14.149) Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE:
pa149.zgoraE.ppp.tpnet.pl [212.160.14.149]: expn root
Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE:
pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack?
Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149] Can anyone tell me exactly what this all mean? O yeah and another thing, which files to I check to look for port probing? Many Thanks Adriaan
Current thread:
- strange entrys in /var/log/messages, (continued)
- strange entrys in /var/log/messages Ben Russell (Jan 11)
- Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
- Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
- Re: Maillog Suspicious Jose Nazario (Jan 11)
- Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
- Attempted port scans. Steve (Jan 11)
- Re: Maillog Suspicious Khetan Gajjar (Jan 11)
- Text file monitor? Luther Trammel (Jan 12)
- Re: Text file monitor? James A Kennemore Jr (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Maillog Suspicious Christopher Rhodes (Jan 12)
- Re: Port 4 CyberPsychotic (Jan 11)
- Re: Port 4 Daniel Jacobowitz (Jan 11)