Security Incidents mailing list archives

Re: Maillog Suspicious

From: chrisr () VERIMAIL COM (Christopher Rhodes)
Date: Wed, 12 Jan 2000 10:23:44 -0700


        Oh, I didn't notice the debug command in there, it is too early.
This mailer also didn't wrap those lines.

It looks like your server is set up ok to me.  You might want to contact
this guys administrator, and get him kicked off his account.

-------------------------------------------------------------------------
"Note:  The information contained in this message and any attachments to
it may be privileged and confidential.  If the reader of this message is
not the intended recipient or the recipient's appointed agent, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer."
-------------------------------------------------------------------------

On Wed, 12 Jan 2000, flirtingboy20 wrote:

Hi all, I am a bit new to Linux Administrator, and are trying my best to make my box very secure. So I've looked at 
my log files
in /var/log and found something very strange. Here is the log:

Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] 
(212.160.14.149)
Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news
Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster
Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo
Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode
Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE:

pa149.zgoraE.ppp.tpnet.pl [212.160.14.149]: expn root

Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE:

pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack?

Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin
Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]

Can anyone tell me exactly what this all mean?

O yeah and another thing, which files to I check to look for port probing?

Many Thanks
Adriaan

Current thread:

strange entrys in /var/log/messages, (continued)
- - - strange entrys in /var/log/messages Ben Russell (Jan 11)
    - Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
    - Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
    - Re: Maillog Suspicious Jose Nazario (Jan 11)
    - Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
    - Attempted port scans. Steve (Jan 11)
    - Re: Maillog Suspicious Khetan Gajjar (Jan 11)
    - Text file monitor? Luther Trammel (Jan 12)
    - Re: Text file monitor? James A Kennemore Jr (Jan 12)
    - Re: Maillog Suspicious Christopher Rhodes (Jan 12)
    - Re: Maillog Suspicious Christopher Rhodes (Jan 12)
  - Re: Port 4 CyberPsychotic (Jan 11)
    - Re: Port 4 Daniel Jacobowitz (Jan 11)