Re: Maillog Suspicious

[chrisr () VERIMAIL COM (Christopher Rhodes)]

        NOQUEUE means a client connected and then disconnected before it
could tell the mail server who it was.  This is fairly common, especially
with windows clients.  It looks like they tried, then got frustrated, hit
the button several times, then waited and tried again.

        Router problems on our internet link sometimes cause timeouts on
finicky windows clients.

        If you're using redhat, you'll have to build your own logs, pretty
much.  If you're using Debian, install the paranoia demons.  In either
case, set up the firewall on the machine to log denied connections and
look in your logs for a significant number of connections to many ports,
that aren't related to 'usual' log traffic.

Hope that helps out.

-------------------------------------------------------------------------
"Note:  The information contained in this message and any attachments to
it may be privileged and confidential.  If the reader of this message is
not the intended recipient or the recipient's appointed agent, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer."
-------------------------------------------------------------------------

On Wed, 12 Jan 2000, flirtingboy20 wrote:

> Hi all, I am a bit new to Linux Administrator, and are trying my best to make my box very secure. So I've looked at 
> my log files
> in /var/log and found something very strange. Here is the log:
>
> Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
> Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
> Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
> Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
> Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] 
> (212.160.14.149)
> Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
> Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
> Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news
> Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster
> Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo
> Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode
> Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
> Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack?
> Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin
> Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
>
> Can anyone tell me exactly what this all mean?
>
> O yeah and another thing, which files to I check to look for port probing?
>
> Many Thanks
> Adriaan