Hi
all
This refers to a RedHat 6.1 server, not my RaQ, but I think it's relevant to this list. If it's not, sorry. I've been trying out other general Linux lists and forums but I can't find one as active/helpful as this. A few hours ago my maillog stopped recording "To" lines, then this morning stopped showing POP logins. The "From" line for each email, whether incoming or outgoing, still appears, and there are a lot of "Port 110 service init"s. During the day before this happened, a few worrying things appeared in messages - for example Jan 3 03:38:24 ns ftpd: modemcable002.222-203-24.mtl.mc.videotron.ca: connected: IDLE Jan 3 06:04:48 ns ftpd[25875]: ACCESS DENIED (not in any class) TO modemcable002.222-203-24.mtl.mc.videotron.ca [24.203.222.2] Jan 3 06:04:48 ns ftpd[25875]: FTP LOGIN REFUSED (access denied) FROM modemcable002.222-203-24.mtl.mc.videotron.ca [24.203.222.2], anonymous Jan 3 19:59:04 ns sshd[27240]: log: Connection from 194.6.9.132 port 1808 Jan 3 19:59:04 ns sshd[27240]: log: Could not reverse map address 194.6.9.132. Jan 3 19:59:05 ns sshd[27240]: fatal: Local: Corrupted check bytes on input. Jan 3 19:59:05 ns sshd[27241]: log: Connection from 194.6.9.132 port 1809 Jan 3 19:59:05 ns sshd[27241]: log: Could not reverse map address 194.6.9.132. Jan 3 19:59:06 ns sshd[27242]: log: Connection from 194.6.9.132 port 1810 (Loads more of this with the port number incrementing, then a few like this:) Jan 3 20:00:17 ns sshd[27310]: log: Could not reverse map address 194.6.9.132. Jan 3 20:00:20 ns sshd[27310]: fatal: Local: crc32 compensation attack: network attack detected Jan 3 20:00:20 ns sshd[27311]: log: Connection from 194.6.9.132 port 1861 Clearly this is some swine scanning for vulnerabilities. I'd be grateful for any suggestions as to how I can find out if they've been successful, or where I should start looking to find out what's wrong with maillog. I'm concerned that the server is being used to send spam and tracks being covered. -- Eddie |