From owner-freebsd-questions Mon Nov 25 14:36:39 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6C5F37B401 for ; Mon, 25 Nov 2002 14:36:36 -0800 (PST) Received: from mail1-0.chcgil.ameritech.net (mail1-0.chcgil.ameritech.net [206.141.192.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 364FD43E88 for ; Mon, 25 Nov 2002 14:36:36 -0800 (PST) (envelope-from mloiterman@ameritech.net) Received: from mike ([65.42.84.83]) by mail1-0.chcgil.ameritech.net (InterMail vM.4.01.02.17 201-229-119) with ESMTP id <20021125223554.EGYD3135.mail1-0.chcgil.ameritech.net@mike> for ; Mon, 25 Nov 2002 16:35:54 -0600 Reply-To: From: "Mike Loiterman" To: Subject: Cracker attack...is my system compromised? Date: Mon, 25 Nov 2002 16:32:48 -0600 Message-ID: <005c01c294d2$977fe6e0$0302a8c0@mike> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First, I'm sending this from a mail account that is not subscribed to the list so please cc me. I'm doing this because my mail server runs off of a dynamic IP address via DNS2GO. AT&T recently changed my dynamic IP that I had had for over a year to a new one. The top level dns servers have not caught up with this change yet. The result is bounced mail to *@freebsd.org because of a failure to resolve a reverse hostname lookup. On to my question: The past few days have seen some strange activity in my log files. 11/25/2002 Security Report: 25 02:14:46 fat_man sendmail[16217]: gAP8Ekh16217: SYSERR: putoutmsg (www.nakorinthias.gr): error on output channel sending "220 fat_man.ascendency.net ESMTP Sendmail 8.11.6/8.11.6; Mon, 25 Nov 2002 02:14:46 -0600 (CST)": Broken pipe 11/24/2002 Security Report > 44:59 fat_man last message repeated 2 times > Nov 23 16:23:03 fat_man sshd[80281]: warning: /etc/hosts.allow, > line 23: host name/name mismatch: www.craftworks.co.jp != > ns.craftworks.co.jp Nov 23 16:24:32 fat_man sshd[80292]: warning: > /etc/hosts.allow, line 23: host name/name mismatch: > www.craftworks.co.jp != ns.craftworks.co.jp arp: 192.168.1.1 moved > from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 > fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to > 00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from > 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 > fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to > 00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 > fat_man /kernel: arp: 192.168.1.2 moved from > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 > moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 > 18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from > 00:06:25:10:e0:03 to > 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to > 00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from > 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 > fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to > 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to > 00:06:25:10:e0:03 on ep0 11/23/2002 Daily run report fat_man.ascendency.net group diffs: 16a17 > cyrus:*:60:daemon 30d30 < cyrus:*:60:daemon Whats going on here? I just changed most of my passwords and changed the root password to an 18 digit alpha numeric string. I have SMTP-AUTH on and working all relays have been turned off. I checked my /etc/hosts, groups, passwd as well as "last" and everything appears to be secure. I have restricted sshd to only one particular IP. Firewalled off all unnecessary ports and removed everything possible from hosts.allow. I'm running 8.11.6 sendmail, but can't find the version of ssh. Do I need to do anything else? This appears to be a program running various probes to determine my systems security level. Am I wrong? ........................................... Randomly Generated Quote: Insert funny but obscure remark here. Mike Loiterman PGP Key 0xD1B9D18E http://www.ascendency.net -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Message digitally signed by Mike Loiterman iQA/AwUBPeKlDmjZbUnRudGOEQLM2ACePJZuldNMDeppJQAqUfph/8V6z1AAn1a7 BAGNud30wQYerfOW31F4UBjR =U34I -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message