Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Rick on March 30, 2001, 11:29:28 PM

Title: Attack ??
Post by: Rick on March 30, 2001, 11:29:28 PM

When i take a look at the /etc/messages file a see this entry:

Mar 30 12:47:44 server xinetd[514]: START: pop-3 pid=16633 from=www.xxx.yyy.zzz
Mar 30 12:53:25 server xinetd[514]: START: pop-3 pid=16643 from=www.xxx.yyy.zzz
Mar 30 12:59:04 server xinetd[514]: START: pop-3 pid=16650 from=www.xxx.yyy.zzz
Mar 30 13:04:43 server xinetd[514]: START: pop-3 pid=16661 from=www.xxx.yyy.zzz
Mar 30 13:10:22 server xinetd[514]: START: pop-3 pid=16675 from=www.xxx.yyy.zzz
Mar 30 13:16:02 server xinetd[514]: START: pop-3 pid=16683 from=www.xxx.yyy.zzz
Mar 30 13:21:43 server xinetd[514]: START: pop-3 pid=16692 from=www.xxx.yyy.zzz

I see i happening for the whole day now. Could this be a hack going on?

Title: Re: Attack ??
Post by: diaolin on March 31, 2001, 11:13:26 PM

Of course this can be a passwd cracker due to this continuous bouncing......but too much time between connections ........every 5 minutes but it can be even a client configured for testing if it has new mail every 5 minutes..........like Outlook Espress.
Ciao Diaolin

Title: Re: Attack ??
Post by: Rick on April 01, 2001, 12:37:22 PM

Is seems to be someone who did not configure his email client properly now. The interval is still at 5 minutes, and only during office hours. Is there a way to figure out who is the person behind this mistake?

Title: Re: Attack ??
Post by: Fran Boon on April 02, 2001, 12:12:36 AM

Check /var/log/secure

This should show which user is using either POP-3 or IMAP continually...

F