Re: Wierd maillogs - hackers perhaps?

Tue, 23 Jul 2002 19:12:15 -0700 

On Tue, Jul 23, 2002 at 09:21:39PM -0400 or thereabouts, [EMAIL PROTECTED] wrote:

Yes, someone is trying to get in.  There are several things you can do to
avoid this.  One, you can DROP or REJECT the IP addresses, or blocks of
addresses  from iptables so they will be blocked before they get in.  You
can also setup IMAP with SSL, using Courier IMAP, etc..  Have you checked
your SMTP logs?  Chances are they are trying to relay there too.  If you
are running another type of firewall, I am sure you can block blocks of
addresses from there. I would also do an nmap on your box.. they may have
set up a server in your system,(chat servers are popular) depending on
what your logs show. I would also send a copy of your logs to
[EMAIL PROTECTED] and connexus.net.au You also might want to consider
running tripwire. 


 
> Subject: Wierd maillogs - hackers perhaps?
 
> On a client's machine I am seeing the following in /var/log/secure:
> Jul 24 09:38:57 server xinetd[712]: START: pop3 pid=9265 from=203.206.48.98
> Jul 24 09:38:57 server xinetd[9265]: USERID: pop3 UNIX : StyleZdark
> 
> but in /var/log/maillog I see:
> Jul 24 09:38:57 server ipop3d[9265]: pop3 service init from 203.222.73.162
> Jul 24 09:38:58 server ipop3d[9265]: Login user=adam
> host=203-206-48-98-dial.froggy.com.au [203.206.48.98] nmsgs=0/0
> Jul 24 09:38:59 server ipop3d[9265]: Logout user=adam
> host=203-206-48-98-dial.froggy.com.au [203.206.48.98] nmsgs=0 ndele=0
 
> The POP3 usernames don't match up and neither do the host IP addresses!  The
> connection is made from 203.222.73.162 but 203.206.48.98 is checking the
> mail?
 
> The POP3 names are things like:
> dARk_s7y13z
> IcE_StyleZ
> stylezIcE
> `Ice|Stylez
> {Ice^Stylez]
> {Beer|Stylez}
> StYlEzDark
> dark_StYlEz
> 
> The names are quite worrying.  Anyone have any idea what is happening here?
> https://listman.redhat.com/mailman/listinfo/redhat-list

-- 
Best regards,
Gary   

Sorry, but my karma just ran over your dogma.



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to