Security Incidents mailing list archives

Maillog Suspicious

From: flirtingboy20 () YAHOO COM (flirtingboy20)
Date: Wed, 12 Jan 2000 00:03:45 +0200


Hi all, I am a bit new to Linux Administrator, and are trying my best to make my box very secure. So I've looked at my 
log files
in /var/log and found something very strange. Here is the log:

Dec 26 01:47:29 MOD2000 sendmail[1054]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:47:51 MOD2000 sendmail[1062]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:47:52 MOD2000 sendmail[1057]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:47:55 MOD2000 sendmail[1067]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: "debug" command from pa149.zgora.ppp.tpnet.pl [212.160.14.149] 
(212.160.14.149)
Dec 26 01:48:00 MOD2000 sendmail[1069]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]
Dec 26 01:48:01 MOD2000 sendmail[1071]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
Dec 26 01:48:02 MOD2000 sendmail[1072]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn news
Dec 26 01:48:02 MOD2000 sendmail[1074]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn postmaster
Dec 26 01:48:03 MOD2000 sendmail[1075]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn majordomo
Dec 26 01:48:04 MOD2000 sendmail[1076]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn decode
Dec 26 01:48:05 MOD2000 sendmail[1077]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn root
Dec 26 01:48:05 MOD2000 sendmail[1070]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: EXPN attack?
Dec 26 01:48:06 MOD2000 sendmail[1078]: NOQUEUE: pa149.zgora.ppp.tpnet.pl [212.160.14.149]: expn admin
Dec 26 01:50:27 MOD2000 sendmail[1086]: NOQUEUE: Null connection from pa149.zgora.ppp.tpnet.pl [212.160.14.149]

Can anyone tell me exactly what this all mean?

O yeah and another thing, which files to I check to look for port probing?

Many Thanks
Adriaan

Current thread:

Re: Log tools?, (continued)
- - - Re: Log tools? Richard Trott (Jan 17)
    - Re: Log tools? Pauline van Winsen (Jan 18)
    - AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)
    - Re: AMD/Port 100099 and portmap CyberPsychotic (Jan 18)
    - Large quantity of traffic from amazon.com - source_port 3000 Peter Bates (Jan 13)
    - Re: Port 4 Lutz Pressler (Jan 12)
    - Re: Port 4 Vanja Hrustic (Jan 13)
    - New vulnerability (fwd) Alfred Huger (Jan 13)
    - An Embryonic Counterintelligence Tool Stephen P. Berry (Jan 14)
    - Re: An Embryonic Counterintelligence Tool Vanja Hrustic (Jan 18)
    - Maillog Suspicious flirtingboy20 (Jan 11)
    - Re: Maillog Suspicious David A. Bandel (Jan 11)
    - Re: Maillog Suspicious James Phillips (Jan 11)
    - Re: Maillog Suspicious Yiorgos Adamopoulos (Jan 11)
    - strange entrys in /var/log/messages Ben Russell (Jan 11)
    - Re: strange entrys in /var/log/messages Christopher Wilson (Jan 12)
    - Re: strange entrys in /var/log/messages Robert Graham (Jan 12)
    - Re: Maillog Suspicious Jose Nazario (Jan 11)
    - Re: Maillog Suspicious Larry W. Cashdollar (Jan 11)
    - Attempted port scans. Steve (Jan 11)
    - Re: Maillog Suspicious Khetan Gajjar (Jan 11)

(Thread continues...)