Stephen Smith wrote:

Just a few questions.

blackbox is the server name, and 192.168.0.2 is a remote computer on my network. I have thousands of these in my /var/log/messages file. What's going on? Every 2 or 3 seconds this entry appears.

Aug 6 09:51:18 blackbox popper[2803]: connect from 192.168.0.2

Someone on 192.168.0.2 is checking for mail! Let's have a lock, what "man popper" says: popper(8) popper(8) NAME popper - pop 3 server ... The entry appears not every 2 or 3 seconds but every 5 minutes (and 3 seconds --- that's a little bit strange). So it looks like an email client automaticly checking for new mail every 5 minutes. (I can't imagine that a cracker would start it's attempts every 5 minutes) But there may be probems with POP 3 servers already reported on this list.

Aug 6 09:51:19 blackbox popper[2804]: connect from 192.168.0.2 Aug 6 09:56:21 blackbox popper[2805]: connect from 192.168.0.2 Aug 6 09:56:22 blackbox popper[2806]: connect from 192.168.0.2 Aug 6 10:01:24 blackbox popper[2831]: connect from 192.168.0.2 Aug 6 10:01:25 blackbox popper[2832]: connect from 192.168.0.2 Aug 6 10:06:27 blackbox popper[2834]: connect from 192.168.0.2 Aug 6 10:06:28 blackbox popper[2835]: connect from 192.168.0.2 Aug 6 10:11:30 blackbox popper[2836]: connect from 192.168.0.2 Aug 6 10:11:31 blackbox popper[2837]: connect from 192.168.0.2

Also was this a successful logon? (below) or an attempt.

Aug 5 20:24:21 blackbox login[1195]: ILLEGAL ROOT LOGIN on `ttyp0' from `192.168.0.2' SuSE distributions are normally configured to reject root logins from remote sites and that's it what the message above says. Maybe it was an intrusion attempt, maybe someone was connected to 192.168.0.2 as root and executed a rlogin to his account at blackbox and forgot, that (s)he was connected as root ...

I was looking through the log files because when i ran YAST, no settings were retrieved. Hostname showed as blank, no ethernet cards or IP addresses, everything. (naturally this concerned me) Now I'm afriad to reboot! My rc.config looks perfectly normal though. Where else should I look for some possible foulplay?

[5 minutes later] I just rechecked rc.config. (it was fine ten minutes ago) now it's pretty much gone. this is all that is left:

LANGUAGE="english"

START_INETD="yes"

START_PORTMAP="yes"

NFS_SERVER="yes"

yes that's it. definately not a good time to reboot! as far as I can tell, I'm [root] the only user logged on.

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Stephen Smith wrote:

Just a few questions.

blackbox is the server name, and 192.168.0.2 is a remote computer on my network. I have thousands of these in my /var/log/messages file. What's going on? Every 2 or 3 seconds this entry appears.

Aug 6 09:51:18 blackbox popper[2803]: connect from 192.168.0.2

Someone on 192.168.0.2 is checking for mail! Let's have a lock, what "man popper" says: popper(8) popper(8) NAME popper - pop 3 server ... The entry appears not every 2 or 3 seconds but every 5 minutes (and 3 seconds --- that's a little bit strange). So it looks like an email client automaticly checking for new mail every 5 minutes. (I can't imagine that a cracker would start it's attempts every 5 minutes) But there may be probems with POP 3 servers already reported on this list.

Aug 6 09:51:19 blackbox popper[2804]: connect from 192.168.0.2 Aug 6 09:56:21 blackbox popper[2805]: connect from 192.168.0.2 Aug 6 09:56:22 blackbox popper[2806]: connect from 192.168.0.2 Aug 6 10:01:24 blackbox popper[2831]: connect from 192.168.0.2 Aug 6 10:01:25 blackbox popper[2832]: connect from 192.168.0.2 Aug 6 10:06:27 blackbox popper[2834]: connect from 192.168.0.2 Aug 6 10:06:28 blackbox popper[2835]: connect from 192.168.0.2 Aug 6 10:11:30 blackbox popper[2836]: connect from 192.168.0.2 Aug 6 10:11:31 blackbox popper[2837]: connect from 192.168.0.2

Also was this a successful logon? (below) or an attempt.

Aug 5 20:24:21 blackbox login[1195]: ILLEGAL ROOT LOGIN on `ttyp0' from `192.168.0.2' SuSE distributions are normally configured to reject root logins from remote sites and that's it what the message above says. Maybe it was an intrusion attempt, maybe someone was connected to 192.168.0.2 as root and executed a rlogin to his account at blackbox and forgot, that (s)he was connected as root ...

I was looking through the log files because when i ran YAST, no settings were retrieved. Hostname showed as blank, no ethernet cards or IP addresses, everything. (naturally this concerned me) Now I'm afriad to reboot! My rc.config looks perfectly normal though. Where else should I look for some possible foulplay?

[5 minutes later] I just rechecked rc.config. (it was fine ten minutes ago) now it's pretty much gone. this is all that is left:

LANGUAGE="english"

START_INETD="yes"

START_PORTMAP="yes"

NFS_SERVER="yes"

yes that's it. definately not a good time to reboot! as far as I can tell, I'm [root] the only user logged on.

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com