'funny' smtp conversation captured w Ethereal

tom_from_van · 07-20-2005, 08:26 AM

I'm just starting with linux (this is day 3 running FC4) and I don't know what is behind this SMPT conversation that I captured when I ran Ethereal overnight. I know I didn't start it. Have I been cracked already? Or is FC4 supposed to do this automatically?
I included some packet summaries and some the contents that seemed important.
=======================================================

794 18222.182183 127.0.0.1 127.0.0.1 SMTP Response: 220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4; Wed, 20 Jul 2005
Response: 220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4; Wed, 20 Jul 2005 04:02:09 -0700\r\n
796 18222.182684 127.0.0.1 127.0.0.1 SMTP Command: EHLO S0106000b6a7905f1.vs.shawcable.net
797 18222.182931 127.0.0.1 127.0.0.1 TCP smtp > 39493 [ACK] Seq=90 Ack=42 Win=32768 Len=0 TSV=18429364 TSER=18429363
798 18222.183218 127.0.0.1 127.0.0.1 SMTP Response: 250-localhost.localdomain Hello localhost.localdomain [127.0.0.1], pleased to m
imple Mail Transfer Protocol
Response: 250-localhost.localdomain Hello localhost.localdomain [127.0.0.1], pleased to meet you\r\n
Response code: 250
Response parameter: localhost.localdomain Hello localhost.localdomain [127.0.0.1], pleased to meet you
Response: 250-ENHANCEDSTATUSCODES\r\n
Response code: 250
Response parameter: ENHANCEDSTATUSCODES
Response: 250-PIPELINING\r\n
Response code: 250
Response parameter: PIPELINING
Response: 250-8BITMIME\r\n
Response code: 250
Response parameter: 8BITMIME
Response: 250-SIZE\r\n
Response code: 250
Response parameter: SIZE
Response: 250-DSN\r\n
Response code: 250
Response parameter: DSN
Response: 250-ETRN\r\n
Response code: 250
Response parameter: ETRN
Response: 250-AUTH DIGEST-MD5 CRAM-MD5\r\n
Response code: 250
Response parameter: AUTH DIGEST-MD5 CRAM-MD5
Response: 250-DELIVERBY\r\n
Response code: 250
Response parameter: DELIVERBY
Response: 250 HELP\r\n
Response code: 250
Response parameter: HELP
799 18222.183623 127.0.0.1 127.0.0.1 SMTP Command: MAIL From:<root@S0106000b6a7905f1.vs.shawcable.net> SIZE=6670 AUTH=root@S0106000b6a7905f1.vs.shawcable.net
--------------
Simple Mail Transfer Protocol
Command: MAIL From:<root@S0106000b6a7905f1.vs.shawcable.net> SIZE=6670 AUTH=root@S0106000b6a7905f1.vs.shawcable.net\r\n
Command: MAIL
Request parameter: From:<root@S0106000b6a7905f1.vs.shawcable.net> SIZE=6670 AUTH=root@S0106000b6a7905f1.vs.shawcable.net
-----------------
800 18222.222814 127.0.0.1 127.0.0.1 TCP smtp > 39493 [ACK] Seq=317 Ack=150 Win=32768 Len=0 TSV=18429404 TSER=18429364
----------------
801 18222.230671 127.0.0.1 127.0.0.1 SMTP Response: 250 2.1.0 <root@S0106000b6a7905f1.vs.shawcable.net>... Sender ok
---------------
802 18222.231053 127.0.0.1 127.0.0.1 SMTP Command: RCPT To:<root@S0106000b6a7905f1.vs.shawcable.net>
--------------
Message: Received: (from root@localhost)\r\n
Message: \tby S0106000b6a7905f1.vs.shawcable.net (8.13.4/8.13.4/Submit) id j6KB29xC007431\r\n
Message: \tfor root; Wed, 20 Jul 2005 04:02:09 -0700\r\n
Message: Date: Wed, 20 Jul 2005 04:02:09 -0700\r\n
Message: From: root <root@S0106000b6a7905f1.vs.shawcable.net>\r\n
Message: Message-Id: <200507201102.j6KB29xC007431@S0106000b6a7905f1.vs.shawcable.net>\r\n
Message: To: root@S0106000b6a7905f1.vs.shawcable.net\r\n
Message: Subject: LogWatch for s0106000b6a7905f1\r\n
Message: \r\n
Message: \r\n
Message: ################### LogWatch 6.1.2 (06/13/05) #################### \r\n
Message: Processing Initiated: Wed Jul 20 04:02:06 2005\r\n
Message: Date Range Processed: yesterday\r\n
Message: ( 2005-Jul-19 )\r\n
Message: Period is day.\r\n
Message: Detail Level of Output: 0\r\n
Message: Type of Output: unformatted\r\n
Message: Logfiles for Host: s0106000b6a7905f1\r\n
Message: ################################################################## \r\n
Message: \r\n
Message: --------------------- Selinux Audit Begin ------------------------ \r\n
Message: \r\n
Message: **Unmatched Entries** (Only first 10 out of 55 are printed)\r\n
Message: audit(:370
--------------------
Message: 3082): major=252 name_count=0: freeing multiple contexts (1)\r\n
Message: audit(:267284): major=113 name_count=0: freeing multiple contexts (2)\r\n
Message: The audit daemon is exiting.\r\n
Message: audit: *NO* daemon at audit_pid=1762\r\n
Message: audit(1121777713.529:3766705): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfdab780 a2=80510f8 a3=0 items=0 pid=16385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/a
Message: audit(1121777713.529:3766705): saddr=100000000000000000000000\r\n
Message: audit(1121777713.529:3766705): nargs=6 a0=3 a1=bfdad8dc a2=10 a3=0 a4=bfdafa78 a5=c\r\n
Message: audit(1121777713.630:3766725): SELinux: unrecognized netlink message type=1009 for sclass=49\r\n
Message: audit(1121777713.630:3766725): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfdab760 a2=80510f8 a3=0 items=0 pid=16385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/a
Message: audit(1121777713.630:3766725): saddr=100000000000000000000000 \r\n
Message: ---------------------- Selinux Audit End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Init Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: \r\n
Message: Re-execs of init: 1 times\r\n
Message: \r\n
Message: ---------------------- Init End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Kernel Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: WARNING: Kernel Errors Present\r\n
Message: Buffer I/O error on device fd0, l...: 5 Time(s)\r\n
Message: end_request: I/O error, dev fd0, sector...: 11 Time(s)\r\n
Message: lost page write due to I/O error on fd0...: 5 Time(s)\r\n
Message: \r\n
Message: ---------------------- Kernel End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- pam_unix Begin ------------------------ \r\n
Message: \r\n
Message: gdm:\r\n
Message: Authentication Failures:\r\n
Message: rhost= : 1 Time(s)\r\n
Message: Unknown Entries:\r\n
Message: check pass; user unknown: 1 Time(s)\r\n
Message: \r\n
Message: \r\n
Message: ---------------------- pam_unix End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Connections (secure-log) Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: **Unmatched Entries**\r\n
Message: userhelper[9813]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9816]: running '/usr/share/system-config-securitylevel/system-config-securitylevel.py' with root privileges on behalf of 'root'\r\n
Message: userhelper[9838]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9841]: running '/usr/sbin/system-config-network' with root privileges on behalf of 'root'\r\n
Message: userhelper[9884]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9887]: running '/usr/sbin/system-config-services' with root privileges on behalf of 'root'\r\n
Message: userhelper[9923]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9926]: running '/usr/sbin/internet-druid' with root privileges on behalf of 'root'\r\n
Message: userhelper[9966]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9969]: running '/usr/sbin/system-config-network ' with root privileges on behalf of 'root'\r\n
Message: userhelper[9999]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10002]: running '/usr/sbin/up2date' with root privileges on behalf of 'root'\r\n
Message: userhelper[9059]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9062]: running '/usr/sbin/system-install-packages /root/Desktop/skype-1.1.0.20-fc3.i586.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10092]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10095]: running '/usr/sbin/system-install-packages /tmp/Bastille-3.0.6-1.0.noarch.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10127]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10130]: running '/usr/sbin/system-install-packages /root/Desktop/Bastille-3.0.6-1.0.noarch.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10195]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10198]: running '/usr/sbin/system-install-packages /tmp/perl-Tk-804.027-1.1.fc3.rf.i386.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10202]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10205]: running '/usr/sbin/system-install-packages //tmp/perl-Tk-804.027-1.1.fc3.rf.i386.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10241]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10244]: running '/usr/sbin/system-config-packages' with root privileges on behalf of 'root'\r\n
Message: userhelper[10358]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10361]: running '/usr/share/system-config-display/system-config-display' with root privileges on behalf of 'root'\r\n
Message: userhelper[10374]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10377]: running '/usr/share/system-config-display/system-config-display' with root privileges on behalf of 'root'\r\n
Message: userhelper[3888]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[3891]: running '/usr/sbin/system-config-network' with root privileges on behalf of 'root'\r\n
Message: userhelper[4305]: pam_timestamp: updated timestamp file `/var/run/sudo/user_1/unknown:root'\r\n
Message: userhelper[4310]: running '/usr/share/system-config-rootpassword/system-config-rootpassword' with root privileges on behalf of 'user_1'\r\n
Message: \r\n
Message: ---------------------- Connections (secure-log) End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- SSHD Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: SSHD Killed: 3 Time(s)\r\n
Message: \r\n
Message: SSHD Started: 4 Time(s)\r\n
Message: \r\n
Message: Failed to bind:\r\n
Message: 0.0.0.0 port 22 (Address already in use) : 4 Time(s)\r\n
Message: \r\n
Message: ---------------------- SSHD End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Disk Space Begin ------------------------ \r\n
Message: \r\n
Message: /dev/shm 121M 0 121M 0% /dev/shm\r\n
Message: /dev/hda2 99M 14M 80M 15% /boot\r\n
Message: /dev/mapper/VolGroup00-LogVol00 72G 13G 56G 19% /\r\n
Message: \r\n
Message: \r\n
Message: ---------------------- Disk Space End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: ###################### LogWatch End ######################### \r\n
Message: \r\n
Message: \r\n
Message: .\r\n
----------------------

mhallbiai · 07-20-2005, 09:26 AM

it is part of internal mail, logwatch creates a report (nightly -by default) and sends it to the local root user (unless another user has been configured)

hope this helps

tom_from_van · 07-20-2005, 05:04 PM

Yes --- very helpfull, thankyou. Issue resolved.