[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] logs
- Subject: [cobalt-security] logs
- From: "Kai Schantz, Euroweb" <kai@xxxxxxxxxx>
- Date: Sun, 13 May 2001 16:02:48 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
I would be very glad if somone could help a newbi understanding some of this
log records, that log checker calls system attack or/and unusual events.
1. I have more than 1000 records of this everyday:
MAIL/EXPN/VRFY/ETRN during connection to MTA
May 13 01:45:08 www sendmail[16395]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
May 13 02:00:01 www sendmail[17003]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
May 13 02:15:02 www sendmail[17698]: NOQUEUE: localhost [127.0.0.1] did not
issue MAIL/EXPN/VRFY/ETRN during connection to MTA
May 13 02:30:02 www sendmail[18305]: NOQUEUE: localhost [127.0.0.1] did not
issue
2. this appear many 1000 times every day, this last days:
May 12 04:18:27 www named[5605]: Lame server on '70.39.117.211.in-addr.arpa'
(in '117.211.in-addr.arpa'?): [134.75.30.1].53 'ns.kreonet.re.kr'
May 12 04:18:28 www named[5605]: Lame server on '70.39.117.211.in-addr.arpa'
(in '39.117.211.in-addr.arpa'?): [210.180.98.69].53 'ns2.hananet.net'
May 12 04:18:28 www named[5605]: Lame server on '70.39.117.211.in-addr.arpa'
(in '39.117.211.in-addr.arpa'?): [210.94.0.7].53 'ns.hananet.net'
May 12 04:18:38 www named[5605]: Lame server on
'166.63.204.137.in-addr.arpa' (in '204.137.in-addr.arpa'?):
[193.205.245.5].53 'DNS.NIC.IT'
May 12 04:19:18 www named[5605]: Lame server on '18.10.1.195.in-addr.arpa'
(in
May 12 04:26:21 www named[5605]: Lame server on '97.90.20.4.in-addr.arpa'
(in '90.20.4.in-addr.arpa'?): [206.253.194.65].53 'ns1.pnap.net'
May 12 04:27:33 www named[5605]: Cleaned cache of 538 RRsets
May 12 04:27:33 www named[5605]: USAGE 989634453 989483349 CPU=14.11u/9.17s
CHILDCPU=0u/0s
May 12 04:27:33 www named[5605]: NSTATS 989634453 989483349 A=1935 NS=2
SOA=7053 PTR=8740 MX=303 TXT=3 AAAA=1 SRV=11 AXFR=3 ANY=1096
May 12 04:27:33 www named[5605]: XSTATS 989634453 989483349 RR=14930
RNXD=956 RFwdR=8345 RDupR=10 RFail=45 RFErr=0 RErr=10 RAXFR=3 RLame=482
ROpts=0 SSysQ=4930 SAns=17169 SFwdQ=7203 SDupQ=1421 SErr=0 RQ=19647 RIQ=0
RFwdQ=7203 RDupQ=108 RTCP=1196 SFwdR=8345 SFail=0 SFErr=0 SNaAns=4953
SNXD=1407 RUQ=0 RURQ=0 RUXFR=0 RUUpd=230
May 12 04:30:01 www proftpd[24931]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May 12 04:30:01 www telnetd[24935]: ttloop: read: Connection reset by peer
May 12 04:30:01 www inetd[688]: pid 24935: exit status 1
May 12 04:30:44 www named[5605]: Lame server on '64.167.43.66.in-addr.arpa'
(in '167.43.66.in-addr.arpa'?): [205.218.123.50].53 'DNS1.USLEC.NET'
May 12 04:30:44 www named[5605]: Lame server on '64.167.43.66.in-addr.arpa'
(in '167.43.66.in-addr.arpa'?): [66.43.137.27].53 'DNS2.USLEC.NET'
May 12 04:32:04 www named[5605]: Lame server on '2.129.179.62.in-addr.arpa'
(in '12
May 12 06:00:31 www named[5605]: Lame server on '97.90.20.4.in-addr.arpa'
(in '90.20.4.in-addr.arpa'?): [206.253.194.65].53 'ns1.pnap.net'
May 12 06:15:01 www proftpd[31360]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May 12 06:15:02 www telnetd[31364]: ttloop: read: Connection reset by peer
May 12 06:15:02 www inetd[688]: pid 31364: exit status 1
May 12 06:27:33 www named[5605]: Cleaned cache of 4589 RRsets
May 12 06:27:33 www named[5605]: USAGE 989641653 989483349 CPU=22.23u/14.36s
CHILDCPU=0u/0s
May 12 06:27:33 www named[5605]: NSTATS 989641653 989483349 A=1958 NS=2
SOA=7353 PTR=18419 MX=306 TXT=3 AAAA=1 SRV=11 AXFR=3 ANY=1105
May 12 06:27:33 www named[5605]: XSTATS 989641653 989483349 RR=28941
RNXD=2217 RFwdR=18436 RDupR=24 RFail=88 RFErr=0 RErr=19 RAXFR=3 RLame=948
ROpts=0 SSysQ=7704 SAns=26314 SFwdQ=16140 SDupQ=2338 SErr=0 RQ=29662 RIQ=0
RFwdQ=16140 RDupQ=127 RTCP=1226 SFwdR=18436 SFail=0 SFErr=0 SNaAns=6029
SNXD=2746 RUQ=0 RURQ=0 RUXFR=0 RUUpd=230
May 12 06:30:01 www proftpd[31961]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May 12 06:30:02 www telnetd[31965]: ttloop: read: Connection reset by peer
May 12 06:30:02 www inetd[688]: pid 31965: exit status 1
May 12 06:45:01 www proftpd[32569]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May 12 06:45:01 www telnetd[32573]: ttloop: read: Connection reset by peer
May 12 06:45:01 www inetd[688]: pid 32573: exit status 1
May 12 07:00:02 www proftpd[709]: www.euroraq.net (localhost[127.0.0.1]) -
FTP session closed.
May 12 07:00:02 www telnetd[714]: ttloop: read: Connection reset by peer
May 12 07:00:02 www inetd[688]: pid 714: exit status
I do allso have hundreds of portscans but that i now what is. Could anybody
help med understand this records and what kind of "attacks" this represent
and what to do.
Thanks,
Kai R Schantz