[NCLUG] FW: strange message sent to root

Charles Clarke clarke at clarkecomputer.com
Tue Feb 27 08:49:19 MST 2001


What is the surrounding context in the log?
Did you check for control characters (cat -v works great)?
You might want to bump up some of your logging levels.
Also, when I'm feeling paranoid, I use lastcomm |more to see
what was run around the same time.

The other suggestions of checking for compromises are also very
important.

charles

On Mon, 26 Feb 2001, mike cullerton wrote:

> on 2/26/01 10:18 AM, Michael Dwyer at mdwyer at sixthdimension.com wrote:
> 
> >> hey folks, i just got about 20 of these messages in about 5 seconds.
> > anyone
> >> know what's going on here? this is a slackware 7.1 system.
> > 
> >> [211.118.21.87]
> >> No one logged on.
> > 
> > I've never seen anything like that before on a Slack system.  Check the
> > system logs (/var/log/messges) for any further mail traces.  Also, check the
> > crontabs (crontab -l <username>) to see if there is a timed event causing
> > these.  It LOOKS like it was
> > sent local-to-local, so it is likely from your local machine.  You you
> > recently install
> > some intrusion detection software?
> 
> haven't installed anything new lately. in fact, the last couple months i've
> been spending most of my free time learning as much as i can about my system
> and how it works. there isn't much going on in my box. i went thru the logs
> with my boss today and nothing stands out.
> 
> and, i got 44 more of these this morning between 3:48 and 4:21. different ip
> address (212.17.69.221), but all 44 had the same ip address. i traced to it
> and it exists.
> 
> wierd... especially that there's no real clue as to where/what they come
> from.
> 
> 
>  -- mike cullerton
> 
> 
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
> 


--------------------------------------------------------------------------
 Domain hosting from $15/month with error log analysis and link checking.
 http://www.clarkecomputer.com/sig.html       domains at clarkecomputer.com




More information about the NCLUG mailing list