I am getting many, many entries in auth.log like these: > /var/log/auth.log:May 17 13:31:14 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=webmaster rhost= > /var/log/auth.log:May 17 13:31:20 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=webmaster rhost= > /var/log/auth.log:May 18 03:39:14 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=jkhhlkjh rhost= > /var/log/auth.log:May 18 03:39:23 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=jkhhlkjh rhost= > /var/log/auth.log:May 18 03:40:01 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=lkjklhui rhost= > /var/log/auth.log:May 18 03:40:08 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=lkjklhui rhost= > /var/log/auth.log:May 18 03:40:14 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=lkjklhui rhost= > /var/log/auth.log:May 18 09:14:57 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=anonymous rhost= > /var/log/auth.log:May 18 09:15:01 server dovecot-auth: > pam_unix(dovecot:auth): authentication failure; logname= uid=0 euid=0 > tty=dovecot ruser=anonymous rhost=
Over on SDLU, I was told the empty "rhost=" looks like there is a Trojan using a socket on my email host. I knew nothing about sockets -- not much more now. Can anyone tell me how to find it and squash it? I've never seen anything like this. It's not happening very fast, and I've made sure the usernames and passwords are good, so statistically, it's going to take quite a while to get in. But it might get lucky, so I'd like to deal with it. I've looked with netstat, and I don't see anything suspicious. It occurs to me that it might be a program that runs every so often, and very quickly, so it doesn't show up in random "ps" or "top" checks. The only thing I can think of to do is reinstall. I know that's sometimes the correct thing to do, but that's so Windows :-) Any advice will be greatly appreciated... BTW, Please feel free to reply to me personally; my Postfix configuration sometimes considers bendel.debian.org to be a spammer (it doesn't find a domain for the IP). Oh. And I'm still on lenny, so reinstalling doesn't seem like too bad an idea... -- Glenn English hand-wrapped from my Apple Mail -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/0f79e416-0869-4ac8-847b-f0006b82e...@slsware.com
