Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Reinhold on October 10, 2003, 01:41:25 AM

Title: oitentd
Post by: Reinhold on October 10, 2003, 01:41:25 AM

What's this guy up to?
(I did search the forum, googled and looked at security pages to no avail)

He comes once a day and leaves this in the kernel.log (6.03b,gateway&server):
----------------------------------------------------------------------------------------------------------------
Oct  8 17:19:16 mysmeserver oidentd[18717]: Connection from mx3.evanzo-server.de (81.209.142.20):42551
Oct  8 17:19:16 mysmeserver oidentd[18717]: [81.209.142.20] (Masqueraded) Successful lookup: 3083 , 110 : user65
Oct  8 17:19:27 mysmeserver oidentd[18722]: Connection from mx3.evanzo-server.de (81.209.142.20):42599
Oct  8 17:19:27 mysmeserver oidentd[18722]: [81.209.142.20] (Masqueraded) Successful lookup: 3089 , 110 : user65
----------------------------------------------------------------------------------------------------------------
Oct  9 20:47:40 mysmeserver oidentd[5722]: Connection from mx3.evanzo-server.de (81.209.142.20):51078
Oct  9 20:47:40 mysmeserver oidentd[5722]: [81.209.142.20] (Masqueraded) Successful lookup: 1049 , 110 : user65
Oct  9 20:47:41 mysmeserver oidentd[5727]: Connection from mx3.evanzo-server.de (81.209.142.20):51090
Oct  9 20:47:41 mysmeserver oidentd[5727]: [81.209.142.20] (Masqueraded) Successful lookup: 1055 , 110 : user65
-----------------------------------------------------------------------------------------------------------------

I also looked at the (assumed) source:
http://ojnk.sourceforge.net/
to check for some security issue - none seen in patch-log.

Thanks

Reinhold

Title: Re: oitentd
Post by: Charlie Brady on October 10, 2003, 02:47:06 AM

Reinhold wrote:

> What's this guy up to?
...
> Oct  8 17:19:16 mysmeserver oidentd[18717]: Connection from
> mx3.evanzo-server.de (81.209.142.20):42551
> Oct  8 17:19:16 mysmeserver oidentd[18717]: [81.209.142.20]
> (Masqueraded) Successful lookup: 3083 , 110 : user65

The user of your workstation 192.168.x.65 is collecting pop mail from mx3.evanzo-server.de. mx3.evanzo-server.de is asking your server (via the ident protocol) the name of the user making the connection. Your server is giving the synthesized answer of "user65".

See:

http://www.faqs.org/rfcs/rfc1413.html

for more information (than you probably want).

Charlie

Title: Re: oitentd
Post by: Reinhold on October 10, 2003, 11:54:21 AM

Perfect pro answer   - Thanks Charlie!!!

Funny thing is "user65" doesn't know about this mailserver.
A "test" then showed us that when he is fetching mail from an url like: "pop.mygamebox.de"
...this completely different "mx3.evanzo-server.de" is o"ident"-ifying him.
Learned something new.

Now if somebody could just tell me what those packets to port "1412" could possibly mean ...

Reinhold