Topic: Connection From entries in messages log

[DWells]

I am using e-Smith 5.6.  Following a server crash I checked the log file (View Log Files: Messages) and found several entries similar to the ones below.  There was a connection from mail2.cell2000.net followed by a bunch of Out of Memory Error entries and killed processes.

Our server had crashed several times this week, and each time the cell2000 entry was in the log. One of our outside sales guys has an e-mail address similar to that and I assumed this was an indication that mail was coming in from his ISP. When I finally got around to wondering why the company would get 1000s of e-mails a day, but we had only a few "Connection From" entries I did some more reading.

I did a backup and reinstalled e-Smith.  The restore seems to have restored whatever it is that is allowing my problem.  I've tried using Midnight Commander to find files that may contain the suspect IP addresses -- however it continually hangs on a file named KMSG.

Am I correct in assuming the following log entries indicate the box has been compromised? Where do I look to clean this up? Am I over reacting?

TIA


 22:09:03 monk e-smith-bg: Gracefully reloading httpd: [   OK   ]^M
Jun 25 23:47:22 monk oidentd[2845]: Connection from jowisz.piotrkow.tpsa.pl (194.204.158.3):58460
Jun 25 23:47:22 monk oidentd[2845]: [jowisz.piotrkow.tpsa.pl] Successful lookup: 32878 , 25 : qmailr (qmailr)
Jun 26 00:26:34 monk oidentd[3010]: Connection from mail2.cell2000.net (69.10.202.6):41681
Jun 26 00:26:34 monk oidentd[3010]: [mail2.cell2000.net] 32899 , 25 : ERROR : NO-USER
Jun 26 05:24:54 monk oidentd[6825]: Connection from host242.expressdiscounts.net (64.201.121.242):49610
Jun 26 05:24:54 monk oidentd[6825]: [host242.expressdiscounts.net] Successful lookup: 33103 , 25 : qmailr (qmailr)
Jun 26 14:55:13 monk oidentd[9505]: Connection from host242.specialdeals4you.net (64.201.123.242):50088
Jun 26 14:55:13 monk oidentd[9505]: [host242.specialdeals4you.net] Successful lookup: 33471 , 25 : qmailr (qmailr)

[raem]

> I am using e-Smith 5.6.... There was a connection > from mail2.cell2000.net followed by a bunch of Out > of Memory Error entries and killed processes.

> Our server had crashed several times this week,
> and each time the cell2000 entry was in the log

What processor, how much RAM, are you running Clamav & Spamassassin. What other contribs are you running ?

You may simply have an overload situation due to too many incoming messages and not enough server "grunt".

[Anonymous]

512 Megs of RAM
500 MHz processor (at least, it may be 800+, I'll check tomorrow when I'm back at work).

I'm also running ASSP.  I've installed the User Manager panel, and the Service Panel.  The server is configured in Server/Gateway mode.

[DWells]

The processor is a 667 Mhz.  

(While, I'm guessing, that rounding would have taken the processor designation to 667 anyway, I always thought it interesting that 166, 366 etc. were OK ... BUT ... 666 just wouldn't fly. The whole Technology/Number-of-the-beast marriage was too much for us to accept.)

The following were in the log this morning. I'm suspicious as the only Connection From messages are showing up from IPs I don't recognize. We don't get messages like this when we receive mail from a vendor.

28 07:36:14 monk oidentd[367]: Connection from host221.discounts2go.com (66.54.93.221):52033
Jun 28 07:36:14 monk oidentd[367]: [host221.discounts2go.com] Successful lookup: 33919 , 25 : qmailr (qmailr)
Jun 28 07:36:29 monk oidentd[559]: Connection from morpheus.globalsources.com (202.160.251.119):45586
Jun 28 07:36:29 monk oidentd[559]: [morpheus.globalsources.com] Successful lookup: 33950 , 25 : qmailr (qmailr)
Jun 28 07:36:33 monk oidentd[582]: Connection from web8.thehostingnet.com (66.6.223.120):41867
Jun 28 07:36:33 monk oidentd[582]: [web8.thehostingnet.com] Successful lookup: 33958 , 25 : qmailr (qmailr)
Jun 28 07:36:48 monk oidentd[711]: Connection from srv2.molem.com (69.59.144.136):59525
Jun 28 07:36:48 monk oidentd[711]: [srv2.molem.com] Successful lookup: 33977 , 25 : qmailr (qmailr)
Jun 28 07:36:54 monk oidentd[767]: Connection from rrcs-se-24-73-239-122.biz.rr.com (24.73.239.122):4449
Jun 28 07:36:54 monk oidentd[767]: [rrcs-se-24-73-239-122.biz.rr.com] Successful lookup: 33992 , 25 : qmailr (qmailr)
Jun 28 12:37:57 monk named[2008]: lame server resolving 'cell2000.net' (in 'cell2000.NET'?): 69.10.201.28#53
Jun 28 08:37:57 monk oidentd[2399]: Connection from mail1.cell2000.net (69.10.202.5):41133
Jun 28 08:37:57 monk oidentd[2399]: [mail1.cell2000.net] 34184 , 25 : ERROR : NO-USER
Jun 28 09:11:38 monk oidentd[4077]: Connection from bizhelper.net (216.194.66.79):1260
Jun 28 09:11:38 monk oidentd[4077]: [bizhelper.net] Successful lookup: 34333 , 25 : qmailr (qmailr)
Jun 28 10:02:32 monk oidentd[5665]: Connection from msa-mx2.hinet.net (168.95.5.107):45836
Jun 28 10:02:32 monk oidentd[5665]: [msa-mx2.hinet.net] Successful lookup: 34465 , 25 : qmailr (qmailr)
Jun 28 14:25:50 monk named[2008]: lame server resolving 'cell2000.net' (in 'cell2000.NET'?): 69.10.201.28#53
Jun 28 10:25:50 monk oidentd[6493]: Connection from mail2.cell2000.net (69.10.202.6):44567
Jun 28 10:25:50 monk oidentd[6493]: [mail2.cell2000.net] 34520 , 25 : ERROR : NO-USER
Jun 28 14:43:20 monk named[2008]: lame server resolving 'rjs-electronics.com' (in 'rjs-electronics.com'?): 207.207.185.58#53
Jun 28 10:43:20 monk oidentd[7104]: Connection from bizhelper.net (216.194.66.79):1559
Jun 28 10:43:20 monk oidentd[7104]: [bizhelper.net] Successful lookup: 34571 , 25 : qmailr (qmailr)