[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Fwd: ACTIVE SYSTEM ATTACK! (?)
- Subject: Re: [cobalt-security] Fwd: ACTIVE SYSTEM ATTACK! (?)
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Sat, 23 Nov 2002 19:05:41 -0500
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
"Dan Keller" <cobalt@xxxxxxxxxx> wrote:
> Attached below please see a message I received from
> the log monitoring program on my RaQ2. I use
> logcheck 1.1.1.
>
> I don't recall ever seeing a message with "ACTIVE
> SYSTEM ATTACK!" in the subject line and wonder
> if it might be bogus. What do you think?
LogSentry (logcheck's current name) messages with that subject are valid.
That's just the subject LogSentry uses for matching records it considers the
most severe. Of course, you can modify the 4 LogSentry files that control
that behavior if you'd like.
> Also, the log entry about which logcheck complains
> looks harmless to me; is it? If I'm reading it right,
> I believe that what it's reporting is a refusal to relay
> Rumanian spam, not at all unusual; am I interpreting
> this correctly?
>
> Thanks muchly for sage advice!
>
> Dan Keller
> cobalt@xxxxxxxxxx
>
> >Date: Fri, 22 Nov 2002 04:01:18 -0800
> >From: Root <root@xxxxxxxxxxxxxx>
> >To: root@xxxxxxxxxxxxxx
> >Subject: www.keller.com 11/22/02:04.01 ACTIVE SYSTEM ATTACK!
> >X-Status:
> >X-Keywords:
> >
> >Active System Attack Alerts
> >=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >Nov 22 03:25:54 www sendmail[2360]: DAA02360: from=<abbyk@xxxxxxxxx>
That's because one of the LogSentry rules matches any log record containing
the string "attack" and it appeared in an email address from someone who
sent to a user on your server. So in this case the record can safely be
ignored.
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/