Date: Mon, 25 Nov 2002 17:48:24 -0500 From: "Matthew Emmerton" <matt@gsicomp.on.ca> To: <mloiterman@ameritech.net>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Cracker attack...is my system compromised? Message-ID: <021701c294d4$c3583270$1200a8c0@gsicomp.on.ca> References: <005c01c294d2$977fe6e0$0302a8c0@mike>
next in thread | previous in thread | raw e-mail | index | archive | help
> On to my question: > > The past few days have seen some strange activity in my log files. You're freaking out at "normal" error messages. > 11/25/2002 Security Report: > 25 02:14:46 fat_man sendmail[16217]: gAP8Ekh16217: SYSERR: putoutmsg > (www.nakorinthias.gr): error on output channel sending "220 > fat_man.ascendency.net ESMTP Sendmail 8.11.6/8.11.6; Mon, 25 Nov 2002 > 02:14:46 -0600 (CST)": Broken pipe All this means is that www.nakorinthias.gr dropped a SMTP session without aborting or closing first. This usually occurs when the connection times out or gets dropped. > 11/24/2002 Security Report > > 44:59 fat_man last message repeated 2 times > > Nov 23 16:23:03 fat_man sshd[80281]: warning: /etc/hosts.allow, > > line 23: host name/name mismatch: www.craftworks.co.jp != > > ns.craftworks.co.jp Nov 23 16:24:32 fat_man sshd[80292]: warning: > > /etc/hosts.allow, line 23: host name/name mismatch: > > www.craftworks.co.jp != ns.craftworks.co.jp This means that a host listed in /etc/hosts.allow doesn't resolve to the same name forwards and backwards. This is a DNS problem with [www|ns].craftworks.co.jp. > > arp: 192.168.1.1 moved > > from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 > > fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to > > 00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from > > 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 > > fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to > > 00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from > > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 > > fat_man /kernel: arp: 192.168.1.2 moved from > > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 > > moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 > > 18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from > > 00:06:25:10:e0:03 to > > 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 > > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to > > 00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from > > 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 > > fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to > > 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 > > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to > > 00:06:25:10:e0:03 on ep0 This means that you've got one machine (192.168.1.4) with two network cards plugged into the same hub. These messages are FreeBSD saying "hey, traffic for this IP came from one NIC (00:06:25:10:e0:03) and now it's coming from another (00:80:c6:fa:9f:21).". This is a problem with your network setup. > 11/23/2002 Daily run report > fat_man.ascendency.net group diffs: > 16a17 > > cyrus:*:60:daemon > 30d30 > < cyrus:*:60:daemon > > Whats going on here? Have you cvsup'd -STABLE lately and run mergemaster, or have you reinstalled/upgraded the mail/cyrus port? This was discussed on -stable not too long ago. > I just changed most of my passwords and changed the root password to > an 18 digit alpha numeric string. I have SMTP-AUTH on and working > all relays have been turned off. I checked my /etc/hosts, groups, > passwd as well as "last" and everything appears to be secure. I have > restricted sshd to only one particular IP. Firewalled off all > unnecessary ports and removed everything possible from hosts.allow. > I'm running 8.11.6 sendmail, but can't find the version of ssh. Do I > need to do anything else? This appears to be a program running > various probes to determine my systems security level. Am I wrong? It's nice to see that you've tightened up security, but you're freaking out waaaay too much. All of this is just "normal" error logging. -- Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?021701c294d4$c3583270$1200a8c0>