[ale] Error messages

James Sumners james at sumners.ath.cx
Wed Mar 17 23:18:11 EST 2004


It isn't too difficult to delete logins from the log if you have root access to
the box.

On Wed, 17 Mar 2004 22:31:18 -0500
"Nick Travis" <lists at wormfishin.com> wrote:

> I got an email from my ISP today saying that they think I have a virus on my
> network, The public IP address that they saw the traffic on is a linux
> webserver(running red hat), I checked out my /var/log/messages and this is
> what I found:
> Mar 15 04:02:00 web anacron[3212]: Updated timestamp for job `cron.daily' to
> 2004-03-15
> Mar 16 04:02:01 web anacron[3732]: Updated timestamp for job `cron.daily' to
> 2004-03-16
> Mar 16 06:09:49 web rpc.statd[362]: gethostbyname error for
> ^X???^X???^Y???^Y???^Z???^Z???^[???^[???bffff750 8049710 8052c1868746567
> 6274736f6d616e797265206520726f7220726f66
> 
>     bffff718
>          bffff719  bffff71a
> 
> bffff71b~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> Mar 16 06:51:26 web kernel: linsniffer uses obsolete (PF_INET,SOCK_PACKET)
> Mar 16 06:51:26 web kernel: eth0: Promiscuous mode enabled.
> Mar 16 06:51:26 web kernel: device eth0 entered promiscuous mode
> Mar 16 09:37:37 web kernel: neighbour table overflow
> Mar 16 09:37:37 web last message repeated 9 times
> Mar 16 09:38:37 web kernel: NET: 253 messages suppressed.
> Mar 16 09:38:37 web kernel: neighbour table overflow
> Mar 16 09:38:39 web last message repeated 9 times
> Mar 16 09:38:45 web kernel: NET: 220 messages suppressed.
> Mar 16 09:38:45 web kernel: neighbour table overflow
> Mar 16 09:38:47 web kernel: NET: 962 messages suppressed.
> Mar 16 09:38:47 web kernel: neighbour table overflow
> Mar 16 09:38:52 web kernel: NET: 3353 messages suppressed.
> Mar 16 09:38:52 web kernel: neighbour table overflow
> Mar 16 09:38:57 web kernel: NET: 3638 messages suppressed.
> Mar 16 09:38:57 web kernel: neighbour table overflow
> Mar 16 09:39:02 web kernel: NET: 3482 messages suppressed.
> Mar 16 09:39:02 web kernel: neighbour table overflow
> Mar 16 09:39:07 web kernel: NET: 3524 messages suppressed.
> Mar 16 09:39:07 web kernel: neighbour table overflow
> Mar 16 09:39:12 web kernel: NET: 3526 messages suppressed.
> Mar 16 09:39:12 web kernel: neighbour table overflow
> Mar 16 09:39:17 web kernel: NET: 3525 messages suppressed.
> 
> I continued getting these messages every 5 seconds until 3:30pm on the 16th
> and it suddenly stopped.  Has anyone seen this before?  According to the log
> file the last time someone logged in was the 14th, which was me, and I'm the
> only one with access to the system.  My ISP gave me the following log:
> 
> Time Zone: UTC
> 
> Event Date Time, Destination IP, IP Protocol, Target Port, Issue
> Description, Source Port, Event Count
> 
> EventRecord: 16 Mar 2004 20:01:47, 10.1.x.x, 6, 111, RPC Exploits, 3990, 1
> 
> EventRecord: 16 Mar 2004 19:59:28, 69.162.x.x, 6, 111, RPC Exploits, 4699, 1
> 
> EventRecord: 16 Mar 2004 19:57:50, 69.162.x.x, 6, 111, RPC Exploits, 4766, 1
> 
> EventRecord: 16 Mar 2004 19:26:16, 69.140.x.x, 6, 111, RPC Exploits, 4730, 1
> 
> EventRecord: 16 Mar 2004 18:05:04, 69.81.x.x, 6, 111, RPC Exploits, 3428, 1
> 
> EventRecord: 16 Mar 2004 16:53:43, 69.40.x.x, 6, 111, RPC Exploits, 3267, 1
> 
> EventRecord: 16 Mar 2004 15:19:00, 69.22.x.x, 6, 111, RPC Exploits, 3433, 1
> 
> Any thoughts would be greatly appriciated.
> 
> 
> 
> Nick
> 
> 
> 
> 
> 
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> If you have any questions please contact nick at precisionmillworks.com
> Mailscanner thanks transtec Computers for their support.
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale


-- 

I used to be interested in Windows NT, but the more I see of it the more it
looks like traditional Windows with a stabler kernel. I don't find anything
technically interesting there. In my opinion MS is a lot better at making money
than it is at making good operating systems.  -- Linus Torvalds



More information about the Ale mailing list