Saturday, March 12, 2005, 3:41:04 PM, Peter Bowyer wrote:
> No, I'm not sure - nor could anyone be from the log snippet you
> posted. All it shows is an attempt to mail the contents of a passwd
> file. I made an intelligent guess, that's all.
Ah fair enough, the IP shown is not my server, it is some user in
Spain.
> And I've no way of knowing whether that's one of your IPs or not.
> Have you scanned your server for any other signs of intrusion (rootkits etc) ?
I just redownloaded chkrootkit package from Freebsd as a binary
package and it gives it all clear, I am about to examine the lsof
output in detail.
But my point is , the content is from my server with incoming
connection from remote server 81.60.208.97/DWM-97-208.go.retevision.es
(/etc/group files and /etc/services) rather than the passwd+master
files.
I get loads of rejected rubbish incoming connections but this one is
by far the most unusual and most likely serious.
--
Best regards,
Subhi S Hashwa mailto:lists@subhi.com
When everything is heading your way, you're in the wrong lane.
