Hi folks,
today I got some strange messages in the log files. It's a quite usual woody box (apache, some (about 15) POP accounts, no smtp relaying, no ftp accounts, nothing exciting) with postfix install from .deb-package.
###################### snip #####################
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after CONNECT from localhost[127.0.0.1]
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after CONNECT from localhost[127.0.0.1]
Apr 4 07:11:15 [myhostname] sshd[11733]: Did not receive identification string from 213.39.138.95
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection after CONNECT from localhost[127.0.0.1]
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
Apr 4 07:11:21 [myhostname] sshd[11735]: Did not receive identification string from 213.39.138.95
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection after CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
###################### snip #####################
(The "[myhostname]" entries are replacements made by me here for privacy reasons. There originally was the real hostname.)
Who the hell may connect from localhost and lose connection but a local user? But, there is no (shouldn't be) any local user.
Is it possible to fake smtpd about the client's ip? I think, the guy from 213.39.138.95 is the same as the one in the first few lines, and he/she isn't real from localhost (I hope so), but fakes smtpd to think so. Am I right?
Or do I have to worry about some rootkit or anything similar?
Thanks in advance!
Andreas -- procommerz - Internet fuer Unternehmen http://www.procommerz.de | 033925-90710
Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com
