[NCLUG] FW: strange message sent to root
Charles Clarke
clarke at clarkecomputer.com
Tue Feb 27 08:49:19 MST 2001
What is the surrounding context in the log?
Did you check for control characters (cat -v works great)?
You might want to bump up some of your logging levels.
Also, when I'm feeling paranoid, I use lastcomm |more to see
what was run around the same time.
The other suggestions of checking for compromises are also very
important.
charles
On Mon, 26 Feb 2001, mike cullerton wrote:
> on 2/26/01 10:18 AM, Michael Dwyer at mdwyer at sixthdimension.com wrote:
>
> >> hey folks, i just got about 20 of these messages in about 5 seconds.
> > anyone
> >> know what's going on here? this is a slackware 7.1 system.
> >
> >> [211.118.21.87]
> >> No one logged on.
> >
> > I've never seen anything like that before on a Slack system. Check the
> > system logs (/var/log/messges) for any further mail traces. Also, check the
> > crontabs (crontab -l <username>) to see if there is a timed event causing
> > these. It LOOKS like it was
> > sent local-to-local, so it is likely from your local machine. You you
> > recently install
> > some intrusion detection software?
>
> haven't installed anything new lately. in fact, the last couple months i've
> been spending most of my free time learning as much as i can about my system
> and how it works. there isn't much going on in my box. i went thru the logs
> with my boss today and nothing stands out.
>
> and, i got 44 more of these this morning between 3:48 and 4:21. different ip
> address (212.17.69.221), but all 44 had the same ip address. i traced to it
> and it exists.
>
> wierd... especially that there's no real clue as to where/what they come
> from.
>
>
> -- mike cullerton
>
>
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
>
--------------------------------------------------------------------------
Domain hosting from $15/month with error log analysis and link checking.
http://www.clarkecomputer.com/sig.html domains at clarkecomputer.com
More information about the NCLUG
mailing list