[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Hacker activity?

Subject: [cobalt-security] Hacker activity?
From: "Rodrigo Velasco" <rvelasco@xxxxxxx>
Date: Tue, 20 Feb 2001 11:49:00 -0300
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
This is a piece of my last downloaded log-file from my Raq4i, I'm just
starting to create web sites on it an I've already installed all the patches
Cobalt released.
I am concerned about the activity logfile display every 15 minutes, is that
normal? or could it be a systematic attempt to look into my server? The
server is almost empty, there's no site a normal visitor would be looking
for.
Of course ns.mydomain.com symbolizes my primary DNS server.

ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:04:30:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:04:45:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:05:00:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:05:15:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:05:30:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:05:45:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:06:00:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:06:15:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:06:30:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:06:45:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:07:00:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:07:15:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:07:30:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:07:45:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:08:00:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:08:15:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:08:30:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:08:45:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:09:00:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:09:15:01 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:09:30:00 -0300] "HEAD / HTTP" 200
0 "-" "-"
ns.mydomain.com 127.0.0.1 - - [19/Feb/2001:09:45:01 -0300] "HEAD / HTTP" 200
0 "-" "-"

And by the other hand, in the Diagnostic file downloaded from the same Raq,
there is the following activity every 15 minutes too:

The next with telnet and ftp enabled:

CobaltDiag::tail -50 /var/log/messages
Feb 18 09:30:01 ns proftpd[22666]: ns.mydomain.com (localhost[127.0.0.1]) -
FTP session closed.
Feb 18 09:30:04 ns telnetd[22674]: ttloop: read: Broken pipe
Feb 18 09:45:00 ns proftpd[23260]: ns.mydomain.com (localhost[127.0.0.1]) -
FTP session closed.
Feb 18 09:45:03 ns telnetd[23268]: ttloop: read: Broken pipe
Feb 18 10:00:01 ns proftpd[23864]: ns.mydomain.com (localhost[127.0.0.1]) -
FTP session closed.
Feb 18 10:00:04 ns telnetd[23872]: ttloop: read: Broken pipe
Feb 18 10:11:54 ns named[444]: Cleaned cache of 0 RRsets
Feb 18 10:11:54 ns named[444]: USAGE 982501914 982125691 CPU=0.41u/0.27s
CHILDCPU=0u/0s
Feb 18 10:11:54 ns named[444]: NSTATS 982501914 982125691 A=58 NS=35 SOA=394
PTR=136 TXT=5
Feb 18 10:11:54 ns named[444]: XSTATS 982501914 982125691 RR=124 RNXD=16
RFwdR=56 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=4 ROpts=0 SSysQ=48
SAns=464 SFwdQ=45 SDupQ=19 SErr=0 RQ=631 RIQ=6 RFwdQ=45 RDupQ=0 RTCP=160
SFwdR=56 SFail=0 SFErr=0 SNaAns=108 SNXD=29 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
Feb 18 10:15:00 ns proftpd[24547]: ns.mydomain.com (localhost[127.0.0.1]) -
FTP session closed.
Feb 18 10:15:03 ns telnetd[24555]: ttloop: read: Broken pipe
Feb 18 10:30:01 ns proftpd[25147]: ns.mydomain.com (localhost[127.0.0.1]) -
FTP session closed.
Feb 18 10:30:04 ns telnetd[25155]: ttloop: read: Broken pipe
Feb 18 10:45:00 ns proftpd[25741]: ns.mydomain.com (localhost[127.0.0.1]) -
FTP session closed.
Feb 18 10:45:03 ns telnetd[25749]: ttloop: read: Broken pipe
Feb 18 11:00:01 ns proftpd[26345]: ns.mydomain.com (localhost[127.0.0.1]) -
FTP session closed.
Feb 18 11:00:04 ns telnetd[26353]: ttloop: read: Broken pipe

The next one after telnet and ftp where disabled:

Feb 19 22:00:00 ns imapd[14801]: imap service init from 127.0.0.1
Feb 19 22:00:00 ns imapd[14801]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 22:00:01 ns sendmail[14803]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 19 22:15:00 ns imapd[15470]: imap service init from 127.0.0.1
Feb 19 22:15:00 ns imapd[15470]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 22:15:01 ns sendmail[15472]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 19 22:30:01 ns imapd[16056]: imap service init from 127.0.0.1
Feb 19 22:30:01 ns imapd[16056]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 22:30:02 ns sendmail[16058]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 19 22:45:01 ns imapd[16640]: imap service init from 127.0.0.1
Feb 19 22:45:01 ns imapd[16640]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 22:45:02 ns sendmail[16642]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 19 23:00:00 ns imapd[17230]: imap service init from 127.0.0.1
Feb 19 23:00:00 ns imapd[17230]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 23:00:01 ns sendmail[17232]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 19 23:15:00 ns imapd[17901]: imap service init from 127.0.0.1
Feb 19 23:15:00 ns imapd[17901]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 23:15:01 ns sendmail[17903]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 19 23:30:00 ns imapd[18487]: imap service init from 127.0.0.1
Feb 19 23:30:00 ns imapd[18487]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 23:30:01 ns sendmail[18489]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 19 23:45:01 ns imapd[19071]: imap service init from 127.0.0.1
Feb 19 23:45:01 ns imapd[19071]: Logout user=??? host=localhost [127.0.0.1]
Feb 19 23:45:02 ns sendmail[19073]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 20 00:00:00 ns imapd[19661]: imap service init from 127.0.0.1
Feb 20 00:00:00 ns imapd[19661]: Logout user=??? host=localhost [127.0.0.1]
Feb 20 00:00:01 ns sendmail[19663]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Feb 20 00:15:01 ns imapd[20402]: imap service init from 127.0.0.1
Feb 20 00:15:01 ns imapd[20402]: Logout user=??? host=localhost [127.0.0.1]
Feb 20 00:15:02 ns sendmail[20405]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA

and so on...

Of course it's not me who is accessing the server every 15 minutes from last
December around the clock.
I don't know if this kind of activity is normal or not (looks very
suspicious to me).
Please give me a hint.
Regards,
Rodrigo Velasco
Prev by Date: RE: [cobalt-security] [RaQ3i] Firewall Software
Next by Date: RE: [cobalt-security] [RaQ3i] Firewall Software Now Tripwire
Previous by thread: [cobalt-security] RE:Port 111 and other services
Next by thread: RE: [cobalt-security] Hacker activity?
Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index