[NCLUG] FW: strange message sent to root
Mike Loseke
mike at verinet.com
Tue Feb 27 08:58:34 MST 2001
Thus spake Michael Dwyer:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> > hey folks, i just got about 20 of these messages in about 5 seconds.
> anyone
> > know what's going on here? this is a slackware 7.1 system.
>
> > [211.118.21.87]
> > No one logged on.
>
> I've never seen anything like that before on a Slack system. Check the
> system logs (/var/log/messges) for any further mail traces. Also, check the
> crontabs (crontab -l <username>) to see if there is a timed event causing
> these. It LOOKS like it was
> sent local-to-local, so it is likely from your local machine. You you
> recently install
> some intrusion detection software?
You do realize that this is output from tcp_wrappers detecting someone
attempting to scan or hit a service on your box for which this trap has
been sent, correct?
What happened was that someone was scanning your box for open ports.
Seems that tcp_wrappers is listening to them and configured to do a
safe_finger back at them to try to determine who was logged on there.
Check /etc/inetd.conf, I'll bet stuff is being run by tcpd.
--
Mike Loseke | If at first you don't succeed,
mike at verinet.com | increase the amperage.
More information about the NCLUG
mailing list