From: "Tuc at T-B-O-H.NET" <[EMAIL PROTECTED]>
Hi,
At around 1p yesterday all of a sudden I started to see some
messages out of the ordinary. I've tracked it down to happening around
the same time SA is running.
I syslog everything to /var/log/spool, and if I do :
egrep 'clean |nologin' /var/log/spool | grep -v kernel
I see things like:
Jul 19 11:52:26 asgard spamd[2499]: spamd: clean message (2.6/5.0) for mkasper:2005 in
7.2 seconds, 1538 bytes.
Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 11:52:26 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 11:52:50 asgard spamd[2499]: spamd: clean message (5.0/5.0) for aries:2000 in 7.8
seconds, 70282 bytes.
Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 11:52:50 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:09:29 asgard spamd[2499]: spamd: clean message (3.7/5.0) for mkasper:2005 in
2.3 seconds, 1635 bytes.
Jul 19 13:09:29 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:23:07 asgard spamd[2499]: spamd: clean message (1.3/5.0) for mariansb:2004 in
1.6 seconds, 11011 bytes.
Jul 19 13:23:07 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:26:50 asgard spamd[2499]: spamd: clean message (0.8/5.0) for mariansb:2004 in
1.4 seconds, 2251 bytes.
Jul 19 13:26:50 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:26:56 asgard spamd[2499]: spamd: clean message (1.5/5.0) for mariansb:2004 in
1.7 seconds, 11323 bytes.
Jul 19 13:26:56 asgard nologin: Attempted login by root on UNKNOWN
Jul 19 13:28:14 asgard spamd[2499]: spamd: clean message (0.4/5.0) for aries:2000 in 4.4
seconds, 20370 bytes.
Jul 19 13:28:14 asgard nologin: Attempted login by root on UNKNOWN
I know this sounds the usual, but I didn't change or upgrade
anything when it started.
Any thoughts? How do I debug?
Recognize that you likely have two different "problems."
The clean simply means spamd correctly processed a message that was not
spam. The attempted login messages are some other item attempting to
break into your machine on the root account. I'd suspect an ssh based
attack.
{^_^}
