Security Incidents mailing list archives

Unusual Message log contents

From: Gregory Kane <gregory.kane () us army mil>
Date: 6 May 2002 14:33:49 -0000



Ok - I'm not totally sure what is going on here. Does 
anyone have a thought about this entry in my message.log 
file?

May  5 10:28:57 server1 kernel: MSDOS FS: IO charset 
iso8859-1
May  5 10:28:57 server1 kernel: MSDOS FS: Using codepage 850

Additioanlly, I have been getting hit with ftp and samba 
probes. However, this one appears to have connected -am I 
correct in my assumption?

May  6 01:33:42 server1 proftpd[14539]: server1.softwareoub 
(211.105.222.3[211.105.222.3]) - FTP session opened. 
May  6 01:33:42 server1 proftpd[14539]: server1.softwareoub 
(211.105.222.3[211.105.222.3]) - FTP session closed. 
May  6 01:35:39 server1 proftpd[14540]: server1.softwareoub 
(211.105.222.3[211.105.222.3]) - FTP session opened. 
May  6 01:35:49 server1 proftpd[14540]: server1.softwareoub 
(211.105.222.3[211.105.222.3]) - FTP session closed. 

Ftp was closed to all - this was going to be setup in the 
near future to allow ftp to a public folder, however it 
appears that someone beat me to it. Am I correct????

The apparent probes that I commonly get are like the 
following:

May  5 21:36:23 server1 proftpd[13215]: server1.softwareoub 
(p50871B0C.dip.t-dialin.net[80.135.27.12]) - FTP session 
opened. 
May  5 21:36:24 server1 proftpd[13215]: server1.softwareoub 
(p50871B0C.dip.t-dialin.net[80.135.27.12]) - no such 
user 'anonymous' 
May  5 21:36:24 server1 last message repeated 4 times
May  5 21:36:24 server1 proftpd[13215]: server1.softwareoub 
(p50871B0C.dip.t-dialin.net[80.135.27.12]) - FTP session 
closed. 

And for Samba

May  5 22:31:07 server1 smbd[13540]: [2002/05/05 22:31:07, 
0] smbd/connection.c:yield_connection(62) 
May  5 22:31:07 server1 smbd[13540]:   yield_connection: 
tdb_delete failed with error Record does not exist.

Once again, I'm going to be working on Samba in a mixed os 
environment in the near future.

The box has only been up for 4 days. Anyone else seeing 
this stuff?

Thanks for any input in advance.

Greg



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Unusual Message log contents Gregory Kane (May 06)
- Re: Unusual Message log contents Mark Newby (May 08)