[NCLUG] FW: strange message sent to root

mike cullerton michaelc at cullerton.com
Tue Feb 27 09:33:05 MST 2001


on 2/27/01 9:24 AM, Mike Loseke at mike at verinet.com wrote:

> Thus spake mike cullerton:
>> on 2/27/01 9:12 AM, Mike Loseke at mike at verinet.com wrote:
>> 
>>> Thus spake mike cullerton:
>>>> on 2/27/01 8:58 AM, Mike Loseke at mike at verinet.com wrote:
>>>>> 
>>>>> You do realize that this is output from tcp_wrappers detecting someone
>>>>> attempting to scan or hit a service on your box for which this trap has
>>>>> been sent, correct?
>>>>> 
>>>>> What happened was that someone was scanning your box for open ports.
>>>>> Seems that tcp_wrappers is listening to them and configured to do a
>>>>> safe_finger back at them to try to determine who was logged on there.
>>>>> 
>>>>> Check /etc/inetd.conf, I'll bet stuff is being run by tcpd.
>>>> 
>>>> mike, i don't understand what you are trying to tell me here. my inetd.conf
>>>> only has time, ftp, cvspserver and imap2.
>>> 
>>> Do they look something like this:
>>> 
>>> imap    stream  tcp     nowait  root    /usr/sbin/tcpd  imapd
>>> 
>>> /usr/sbin/tcpd is the tcp_wrappers program. It references /etc/hosts.allow
>>> and /etc/hosts.deny for what to do in certain situations.
>> 
>> that much i understand. but why is it mailing me?
> 
> It's probably configured to do so. For instance, in my /etc/hosts.deny, I
> have the following line corresponding to the imap entry in /etc/inetd.conf:
> 
> imapd:   ALL: spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root) &
> 
> and in /etc/hosts.allow:
> 
> imapd:  10.1.1. 127.0.0.1
> 
> So, for any hosts not in 10.1.1.0/24 or on localhost who connect to the
> imap port, the command in parens after 'spawn' in /etc/hosts.deny is run.
> 
> Do you have a similar config in place?

not that i can find.

imap2   stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/imapd

hmmm... i'm wondering of tcp-wrappers can be set up like this in general.
i'm reading man pages now...

 -- mike cullerton





More information about the NCLUG mailing list