Date: Mon, 25 Nov 2002 16:53:09 -0600 From: "Mike Loiterman" <mloiterman@ameritech.net> To: "'Matthew Emmerton'" <matt@gsicomp.on.ca>, <freebsd-questions@FreeBSD.ORG> Subject: RE: Cracker attack...is my system compromised? Message-ID: <005d01c294d5$6d622a50$0302a8c0@mike> In-Reply-To: <021701c294d4$c3583270$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: Matthew Emmerton [mailto:matt@gsicomp.on.ca] > Sent: Monday, November 25, 2002 4:48 PM > To: mloiterman@Ameritech.Net; freebsd-questions@FreeBSD.ORG > Subject: Re: Cracker attack...is my system compromised? > > > On to my question: > > > > The past few days have seen some strange activity in my log > > files. > > You're freaking out at "normal" error messages. > > > 11/25/2002 Security Report: > > 25 02:14:46 fat_man sendmail[16217]: gAP8Ekh16217: SYSERR: > > putoutmsg (www.nakorinthias.gr): error on output channel sending > > "220 > > fat_man.ascendency.net ESMTP Sendmail 8.11.6/8.11.6; Mon, 25 Nov > > 2002 02:14:46 -0600 (CST)": Broken pipe > > All this means is that www.nakorinthias.gr dropped a SMTP session > without aborting or closing first. This usually occurs when the > connection times out or gets dropped. > > > 11/24/2002 Security Report > > > 44:59 fat_man last message repeated 2 times > > > Nov 23 16:23:03 fat_man sshd[80281]: warning: /etc/hosts.allow, > > > line 23: host name/name mismatch: www.craftworks.co.jp != > > > ns.craftworks.co.jp Nov 23 16:24:32 fat_man sshd[80292]: > > > warning: /etc/hosts.allow, line 23: host name/name mismatch: > > > www.craftworks.co.jp != ns.craftworks.co.jp > > This means that a host listed in /etc/hosts.allow doesn't resolve > to the same name forwards and backwards. This is a DNS problem > with > [www|ns].craftworks.co.jp. > > > > arp: 192.168.1.1 moved > > > from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 > > > 16:27:53 fat_man /kernel: arp: 192.168.1.1 moved from > > > 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 > > > moved from > > > 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 > > > fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 > > > to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from > > > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 > > > fat_man /kernel: arp: 192.168.1.2 moved from > > > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 > > > moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov > > > 23 18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from > > > 00:06:25:10:e0:03 to > > > 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > > > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 > > > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 > > > to 00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from > > > 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 > > > fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 > > > to 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > > > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 > > > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 > > > to 00:06:25:10:e0:03 on ep0 > > This means that you've got one machine (192.168.1.4) with two > network cards plugged into the same hub. These messages are > FreeBSD saying "hey, traffic for this IP came from one NIC > (00:06:25:10:e0:03) and now it's coming from another > (00:80:c6:fa:9f:21).". This is a problem with your network setup. > > > 11/23/2002 Daily run report > > fat_man.ascendency.net group diffs: > > 16a17 > > > cyrus:*:60:daemon > > 30d30 > > < cyrus:*:60:daemon > > > > Whats going on here? > > Have you cvsup'd -STABLE lately and run mergemaster, or have you > reinstalled/upgraded the mail/cyrus port? This was discussed on > -stable not too long ago. > > > I just changed most of my passwords and changed the root password > > to an 18 digit alpha numeric string. I have SMTP-AUTH on and > > working all relays have been turned off. I checked my > > /etc/hosts, groups, passwd as well as "last" and everything > > appears to be secure. I have restricted sshd to only one > > particular IP. Firewalled off all unnecessary ports and removed > > everything possible from hosts.allow. I'm running 8.11.6 > > sendmail, but can't find the version of ssh. Do I need to do > > anything else? This appears to be a program running various > > probes to determine my systems security level. Am I wrong? > > It's nice to see that you've tightened up security, but you're > freaking out waaaay too much. All of this is just "normal" error > logging. > > -- > Matt Thanks for the reassurance. I guess I can rest easy now.. ........................................... Randomly Generated Quote: My life has Chinese music torture playing in the background. Mike Loiterman PGP Key 0xD1B9D18E http://www.ascendency.net -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Message digitally signed by Mike Loiterman iQA/AwUBPeKp1GjZbUnRudGOEQKMkgCeP9fLOH4GASyMOZ4wo5ISI9lf44MAnjzi na1tinhngPPRVcMzuPWQSyRP =pcd3 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005d01c294d5$6d622a50$0302a8c0>