RE: [suse-security] Maybe a bit worried?
Hi Allen, Here's the news: ComputerWorld Australia - Novell server Hacked <http://www.computerworld.com.au/index.php?id=2128628770&eid=-255> A company server that some workers at Novell apparently used for gaming purposes was hacked into and then used to scan for vulnerable ports on potentially millions of computers worldwide, according to an Internet security consultant. http://www.computerworld.com.au/index.php?id=2128628770&eid=-255 Cheers, Arjen -----Original Message----- From: Allen [mailto:gorebofh@comcast.net] Sent: Thu 29/09/2005 11:53 To: suse-security@suse.com Cc: Subject: [suse-security] Maybe a bit worried? LogDigest just sent something to me which has me wondering WTH is going on here. I'm copying and pasting the parts I'm wondering: /var/log/messages: ________________________________________________________________________________ Messages matching keywords in the "alarming" list: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (15 lines) Sep 27 20:56:24 HP rcd[6043]: id=87 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 27 22:56:25 HP rcd[6043]: id=91 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 00:56:24 HP rcd[6043]: id=95 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=1s (failed) Sep 28 02:56:22 HP rcd[6043]: id=99 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 04:56:23 HP rcd[6043]: id=103 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 06:56:25 HP rcd[6043]: id=107 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 08:56:26 HP rcd[6043]: id=111 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 10:56:25 HP rcd[6043]: id=115 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 12:56:26 HP rcd[6043]: id=119 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=1s (failed) Sep 28 14:56:37 HP rcd[6043]: id=123 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 16:56:27 HP rcd[6043]: id=127 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Sep 28 18:56:27 HP rcd[6043]: id=131 COMPLETE 'Downloading https://update.novell.com/data/channels.php' time=0s (failed) Why is this trying to connect to Novell? And why is it failing? I've been using SUSE since 8.1 and never had this in Logdigest. I haven't played with much yet on here as I just set up what I needed for now and that was it, and so I'm wondering what this is doing. All lines that are not in the "ignore" list: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- (77 lines) Sep 27 19:17:24 HP logrotate: ALERT exited abnormally with [1] Sep 27 20:56:04 HP rcd[6043]: Running heartbeat at Tue Sep 27 20:56:04 2005 Sep 27 20:56:06 HP rcd[6043]: Loading system packages Sep 27 20:56:22 HP rcd[6043]: Done loading system packages Sep 27 20:56:22 HP rcd[6043]: Can't find synthetic package file '/var/lib/rcd/synthetic-packages.xml' Sep 27 20:56:24 HP rcd[6043]: Unable to downloaded channel list: IO error - Soup error: Internal Server Error (500) Sep 27 22:56:04 HP rcd[6043]: Running heartbeat at Tue Sep 27 22:56:04 2005 Sep 27 22:56:06 HP rcd[6043]: Loading system packages Sep 27 22:56:24 HP rcd[6043]: Done loading system packages Sep 27 22:56:24 HP rcd[6043]: Can't find synthetic package file '/var/lib/rcd/synthetic-packages.xml' Sep 27 22:56:25 HP rcd[6043]: Unable to downloaded channel list: IO error - Soup error: Internal Server Error (500) Sep 28 00:56:04 HP rcd[6043]: Running heartbeat at Wed Sep 28 00:56:04 2005 Sep 28 00:56:06 HP rcd[6043]: Loading system packages Sep 28 00:56:23 HP rcd[6043]: Done loading system packages Sep 28 00:56:23 HP rcd[6043]: Can't find synthetic package file '/var/lib/rcd/synthetic-packages.xml' Here is the other part. Should I worry about this? -Allen. -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Thursday 29 September 2005 02:02, AAA wrote:
Hi Allen,
Here's the news:
ComputerWorld Australia - Novell server Hacked <http://www.computerworld.com.au/index.php?id=2128628770&eid=-255>
A company server that some workers at Novell apparently used for gaming purposes was hacked into and then used to scan for vulnerable ports on potentially millions of computers worldwide, according to an Internet security consultant. http://www.computerworld.com.au/index.php?id=2128628770&eid=-255
What on earth does the perfectly normal (as far as it goes, they just mean that something hasn't been configured or activated correctly) messages from the red carpet daemon have to do with this?
On Thu, 29 Sep 2005, Anders Johansson wrote:
On Thursday 29 September 2005 02:02, AAA wrote:
What on earth does the perfectly normal (as far as it goes, they just mean that something hasn't been configured or activated correctly) messages from the red carpet daemon have to do with this?
I recently installed 9.3 and also found that rcd was enabled but not configured correctly. There even seams to be memory leakage, when I killed rcd and removed it from my rc.d directory using insserv rcd was using over 500MB of memory and that caused my system to slow down significantly (swapping). Why is it enabled if you install it without a proper configuration? Have fun, Aschwin Marsman -- aschwin@marsman.org http://www.marsman.org
participants (3)
-
AAA -
Anders Johansson -
Aschwin Marsman