[NCLUG] FW: strange message sent to root
mike cullerton
michaelc at cullerton.com
Tue Feb 27 09:33:05 MST 2001
on 2/27/01 9:24 AM, Mike Loseke at mike at verinet.com wrote:
> Thus spake mike cullerton:
>> on 2/27/01 9:12 AM, Mike Loseke at mike at verinet.com wrote:
>>
>>> Thus spake mike cullerton:
>>>> on 2/27/01 8:58 AM, Mike Loseke at mike at verinet.com wrote:
>>>>>
>>>>> You do realize that this is output from tcp_wrappers detecting someone
>>>>> attempting to scan or hit a service on your box for which this trap has
>>>>> been sent, correct?
>>>>>
>>>>> What happened was that someone was scanning your box for open ports.
>>>>> Seems that tcp_wrappers is listening to them and configured to do a
>>>>> safe_finger back at them to try to determine who was logged on there.
>>>>>
>>>>> Check /etc/inetd.conf, I'll bet stuff is being run by tcpd.
>>>>
>>>> mike, i don't understand what you are trying to tell me here. my inetd.conf
>>>> only has time, ftp, cvspserver and imap2.
>>>
>>> Do they look something like this:
>>>
>>> imap stream tcp nowait root /usr/sbin/tcpd imapd
>>>
>>> /usr/sbin/tcpd is the tcp_wrappers program. It references /etc/hosts.allow
>>> and /etc/hosts.deny for what to do in certain situations.
>>
>> that much i understand. but why is it mailing me?
>
> It's probably configured to do so. For instance, in my /etc/hosts.deny, I
> have the following line corresponding to the imap entry in /etc/inetd.conf:
>
> imapd: ALL: spawn (/usr/sbin/safe_finger -l @%h | /bin/mail -s %d-%h root) &
>
> and in /etc/hosts.allow:
>
> imapd: 10.1.1. 127.0.0.1
>
> So, for any hosts not in 10.1.1.0/24 or on localhost who connect to the
> imap port, the command in parens after 'spawn' in /etc/hosts.deny is run.
>
> Do you have a similar config in place?
not that i can find.
imap2 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/imapd
hmmm... i'm wondering of tcp-wrappers can be set up like this in general.
i'm reading man pages now...
-- mike cullerton
More information about the NCLUG
mailing list