BEGIN REPORT ------------------------------ Syslog Report on bob Unusual System Events =-=-=-=-=-=-=-=-=-=-= Nov 6 - 1 times(s): bob stunnel: x.x.x.x.51400 connected from 127.0.0.1:1258 Nov 6 - 2 times(s): bob kernel: No module symbols loaded - kernel modules not enabled. Nov 6 - 2 times(s): bob kernel: Symbols match kernel version 2.4.9. Nov 6 - 2 times(s): bob stunnel: x.x.x.x.51400 connected from 127.0.0.1:1280 ------------------------------ Syslog Report on manic Security Violations =-=-=-=-=-=-=-=-=-= Nov 6 - 1 times(s): manic su: + pts/1 root-nate Nov 6 - 2 times(s): manic postfix/smtpd: reject: RCPT from unknown[123.124.125.126]: 450 Client host rejected: cannot find your hostname, [123.124.125.126]; from= to= Nov 6 - 2 times(s): manic su: + ??? root-list Unusual System Events =-=-=-=-=-=-=-=-=-=-= Nov 6 - 1 times(s): manic /USR/SBIN/CRON: (root) CMD (/usr/local/bandmin/bandminhtml) Nov 6 - 1 times(s): manic /USR/SBIN/CRON: (root) CMD (/usr/local/psionic/logcheck/newlogcheck.sh) Nov 6 - 1 times(s): manic ntpdate: step time server 16.1.0.4 offset 0.117116 sec Nov 6 - 1 times(s): manic ntpdate: step time server 16.1.0.4 offset 0.117331 sec Nov 6 - 1 times(s): manic stunnel: 127.0.0.1.5140 connected from x.x.x.x:36291 Nov 6 - 1 times(s): manic stunnel: 127.0.0.1.5140 connected from x.x.x.x:1259 Nov 6 - 1 times(s): manic stunnel: 127.0.0.1.5140 connected from x.x.x.x:54054 Nov 6 - 1 times(s): manic stunnel: Connection closed: 0 bytes sent to SSL, 101884 bytes sent to socket Nov 6 - 1 times(s): manic stunnel: Connection closed: 0 bytes sent to SSL, 32649 bytes sent to socket Nov 6 - 1 times(s): manic stunnel: Connection closed: 0 bytes sent to SSL, 49346 bytes sent to socket Nov 6 - 1 times(s): manic su: + pts/1 root-nate Nov 6 - 1 times(s): manic syslog-ng: AF_INET client dropped connection from 127.0.0.1, port 34382 Nov 6 - 1 times(s): manic syslog-ng: AF_INET client dropped connection from 127.0.0.1, port 34383 Nov 6 - 1 times(s): manic syslog-ng: AF_INET client dropped connection from 127.0.0.1, port 34384 Nov 6 - 15 times(s): manic /USR/SBIN/CRON: (list) CMD ([ -x /usr/bin/python -a -f /usr/lib/mailman/cron/gate_news ] && /usr/bin/python /usr/lib/mailman/cron/gate_news) Nov 6 - 2 times(s): manic /USR/SBIN/CRON: (list) CMD ([ -x /usr/bin/python -a -f /usr/lib/mailman/cron/run_queue ] && /usr/bin/python /usr/lib/mailman/cron/run_queue) Nov 6 - 2 times(s): manic /USR/SBIN/CRON: (root) CMD (/usr/sbin/ntpdate -b -s 16.1.0.4 129.127.28.4 129.132.98.11) Nov 6 - 2 times(s): manic PAM_unix: (su) session opened for user list by (uid=0) Nov 6 - 2 times(s): manic ntpdate: step time server 16.1.0.4 offset 0.117178 sec Nov 6 - 2 times(s): manic ntpdate: step time server 16.1.0.4 offset 0.117419 sec Nov 6 - 2 times(s): manic postfix/smtpd: reject: RCPT from unknown[123.124.125.126]: 450 Client host rejected: cannot find your hostname, [123.124.125.126]; from= to= Nov 6 - 2 times(s): manic su: + ??? root-list ------------------------------ Syslog Report on notrealname Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Nov 5 - 2 times(s): notrealname portsentry: attackalert: Connect from host: 210.99.13.125/210.99.13.125 to TCP port: 111 Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 151.21.226.96 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 151.21.226.96 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 151.21.226.96 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 200.29.137.117 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 200.29.137.117 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 200.29.137.117 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 210.99.13.125 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 210.99.13.125 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 210.99.13.125 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 63.65.100.66 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 63.65.100.66 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 63.65.100.66 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host: 151.21.226.96 is already blocked. Ignoring Nov 5 - 4 times(s): notrealname portsentry: attackalert: Connect from host: ppp-96-226.21-151.libero.it/151.21.226.96 to TCP port: 21 Security Violations =-=-=-=-=-=-=-=-=-= Nov 5 - 2 times(s): notrealname portsentry: attackalert: Connect from host: 210.99.13.125/210.99.13.125 to TCP port: 111 Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 151.21.226.96 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 151.21.226.96 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 151.21.226.96 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 200.29.137.117 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 200.29.137.117 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 200.29.137.117 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 210.99.13.125 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 210.99.13.125 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 210.99.13.125 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 63.65.100.66 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 63.65.100.66 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 63.65.100.66 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host: 151.21.226.96 is already blocked. Ignoring Nov 5 - 4 times(s): notrealname portsentry: attackalert: Connect from host: ppp-96-226.21-151.libero.it/151.21.226.96 to TCP port: 21 Unusual System Events =-=-=-=-=-=-=-=-=-=-= Nov 5 - 2 times(s): notrealname portsentry: attackalert: Connect from host: 210.99.13.125/210.99.13.125 to TCP port: 111 Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 151.21.226.96 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 151.21.226.96 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 151.21.226.96 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 200.29.137.117 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 200.29.137.117 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 200.29.137.117 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 210.99.13.125 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 210.99.13.125 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 210.99.13.125 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host 63.65.100.66 has been blocked via dropped route using command: "/usr/local/sbin/iptables -I INPUT -s 63.65.100.66 -j DROP;/usr/local/sbin/iptables -I FORWARD -s 63.65.100.66 -j DROP" Nov 5 - 2 times(s): notrealname portsentry: attackalert: Host: 151.21.226.96 is already blocked. Ignoring Nov 5 - 4 times(s): notrealname portsentry: attackalert: Connect from host: ppp-96-226.21-151.libero.it/151.21.226.96 to TCP port: 21 ------------------------------ Syslog Report on potato Unusual System Events =-=-=-=-=-=-=-=-=-=-= Nov 6 - 1 times(s): potato ntpdate: step time server 16.1.0.4 offset 0.018903 sec Nov 6 - 1 times(s): potato stunnel: manic.51400 connected from 127.0.0.1:54053 Nov 6 - 2 times(s): potato kernel: Kernel log daemon terminating. Nov 6 - 2 times(s): potato kernel: Kernel logging (proc) stopped. Nov 6 - 2 times(s): potato ntpdate: step time server 16.1.0.4 offset 0.017499 sec Nov 6 - 2 times(s): potato ntpdate: step time server 16.1.0.4 offset 0.019840 sec Nov 6 - 2 times(s): potato stunnel: manic.51400 connected from 127.0.0.1:54075 END OF REPORT