[NCLUG] FW: strange message sent to root
Mike Loseke
mike at verinet.com
Tue Feb 27 09:24:18 MST 2001
Thus spake mike cullerton:
> on 2/27/01 9:12 AM, Mike Loseke at mike at verinet.com wrote:
>
> > Thus spake mike cullerton:
> >> on 2/27/01 8:58 AM, Mike Loseke at mike at verinet.com wrote:
> >>>
> >>> You do realize that this is output from tcp_wrappers detecting someone
> >>> attempting to scan or hit a service on your box for which this trap has
> >>> been sent, correct?
> >>>
> >>> What happened was that someone was scanning your box for open ports.
> >>> Seems that tcp_wrappers is listening to them and configured to do a
> >>> safe_finger back at them to try to determine who was logged on there.
> >>>
> >>> Check /etc/inetd.conf, I'll bet stuff is being run by tcpd.
> >>
> >> mike, i don't understand what you are trying to tell me here. my inetd.conf
> >> only has time, ftp, cvspserver and imap2.
> >
> > Do they look something like this:
> >
> > imap stream tcp nowait root /usr/sbin/tcpd imapd
> >
> > /usr/sbin/tcpd is the tcp_wrappers program. It references /etc/hosts.allow
> > and /etc/hosts.deny for what to do in certain situations.
>
> that much i understand. but why is it mailing me?
It's probably configured to do so. For instance, in my /etc/hosts.deny, I
have the following line corresponding to the imap entry in /etc/inetd.conf:
imapd: ALL: spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root) &
and in /etc/hosts.allow:
imapd: 10.1.1. 127.0.0.1
So, for any hosts not in 10.1.1.0/24 or on localhost who connect to the
imap port, the command in parens after 'spawn' in /etc/hosts.deny is run.
Do you have a similar config in place?
--
Mike Loseke | If at first you don't succeed,
mike at verinet.com | increase the amperage.
More information about the NCLUG
mailing list