LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-20-2005, 08:26 AM   #1
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Rep: Reputation: 15
'funny' smtp conversation captured w Ethereal


I'm just starting with linux (this is day 3 running FC4) and I don't know what is behind this SMPT conversation that I captured when I ran Ethereal overnight. I know I didn't start it. Have I been cracked already? Or is FC4 supposed to do this automatically?
I included some packet summaries and some the contents that seemed important.
=======================================================

794 18222.182183 127.0.0.1 127.0.0.1 SMTP Response: 220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4; Wed, 20 Jul 2005
Response: 220 localhost.localdomain ESMTP Sendmail 8.13.4/8.13.4; Wed, 20 Jul 2005 04:02:09 -0700\r\n
796 18222.182684 127.0.0.1 127.0.0.1 SMTP Command: EHLO S0106000b6a7905f1.vs.shawcable.net
797 18222.182931 127.0.0.1 127.0.0.1 TCP smtp > 39493 [ACK] Seq=90 Ack=42 Win=32768 Len=0 TSV=18429364 TSER=18429363
798 18222.183218 127.0.0.1 127.0.0.1 SMTP Response: 250-localhost.localdomain Hello localhost.localdomain [127.0.0.1], pleased to m
imple Mail Transfer Protocol
Response: 250-localhost.localdomain Hello localhost.localdomain [127.0.0.1], pleased to meet you\r\n
Response code: 250
Response parameter: localhost.localdomain Hello localhost.localdomain [127.0.0.1], pleased to meet you
Response: 250-ENHANCEDSTATUSCODES\r\n
Response code: 250
Response parameter: ENHANCEDSTATUSCODES
Response: 250-PIPELINING\r\n
Response code: 250
Response parameter: PIPELINING
Response: 250-8BITMIME\r\n
Response code: 250
Response parameter: 8BITMIME
Response: 250-SIZE\r\n
Response code: 250
Response parameter: SIZE
Response: 250-DSN\r\n
Response code: 250
Response parameter: DSN
Response: 250-ETRN\r\n
Response code: 250
Response parameter: ETRN
Response: 250-AUTH DIGEST-MD5 CRAM-MD5\r\n
Response code: 250
Response parameter: AUTH DIGEST-MD5 CRAM-MD5
Response: 250-DELIVERBY\r\n
Response code: 250
Response parameter: DELIVERBY
Response: 250 HELP\r\n
Response code: 250
Response parameter: HELP
799 18222.183623 127.0.0.1 127.0.0.1 SMTP Command: MAIL From:<root@S0106000b6a7905f1.vs.shawcable.net> SIZE=6670 AUTH=root@S0106000b6a7905f1.vs.shawcable.net
--------------
Simple Mail Transfer Protocol
Command: MAIL From:<root@S0106000b6a7905f1.vs.shawcable.net> SIZE=6670 AUTH=root@S0106000b6a7905f1.vs.shawcable.net\r\n
Command: MAIL
Request parameter: From:<root@S0106000b6a7905f1.vs.shawcable.net> SIZE=6670 AUTH=root@S0106000b6a7905f1.vs.shawcable.net
-----------------
800 18222.222814 127.0.0.1 127.0.0.1 TCP smtp > 39493 [ACK] Seq=317 Ack=150 Win=32768 Len=0 TSV=18429404 TSER=18429364
----------------
801 18222.230671 127.0.0.1 127.0.0.1 SMTP Response: 250 2.1.0 <root@S0106000b6a7905f1.vs.shawcable.net>... Sender ok
---------------
802 18222.231053 127.0.0.1 127.0.0.1 SMTP Command: RCPT To:<root@S0106000b6a7905f1.vs.shawcable.net>
--------------
Message: Received: (from root@localhost)\r\n
Message: \tby S0106000b6a7905f1.vs.shawcable.net (8.13.4/8.13.4/Submit) id j6KB29xC007431\r\n
Message: \tfor root; Wed, 20 Jul 2005 04:02:09 -0700\r\n
Message: Date: Wed, 20 Jul 2005 04:02:09 -0700\r\n
Message: From: root <root@S0106000b6a7905f1.vs.shawcable.net>\r\n
Message: Message-Id: <200507201102.j6KB29xC007431@S0106000b6a7905f1.vs.shawcable.net>\r\n
Message: To: root@S0106000b6a7905f1.vs.shawcable.net\r\n
Message: Subject: LogWatch for s0106000b6a7905f1\r\n
Message: \r\n
Message: \r\n
Message: ################### LogWatch 6.1.2 (06/13/05) #################### \r\n
Message: Processing Initiated: Wed Jul 20 04:02:06 2005\r\n
Message: Date Range Processed: yesterday\r\n
Message: ( 2005-Jul-19 )\r\n
Message: Period is day.\r\n
Message: Detail Level of Output: 0\r\n
Message: Type of Output: unformatted\r\n
Message: Logfiles for Host: s0106000b6a7905f1\r\n
Message: ################################################################## \r\n
Message: \r\n
Message: --------------------- Selinux Audit Begin ------------------------ \r\n
Message: \r\n
Message: **Unmatched Entries** (Only first 10 out of 55 are printed)\r\n
Message: audit(:370
--------------------
Message: 3082): major=252 name_count=0: freeing multiple contexts (1)\r\n
Message: audit(:267284): major=113 name_count=0: freeing multiple contexts (2)\r\n
Message: The audit daemon is exiting.\r\n
Message: audit: *NO* daemon at audit_pid=1762\r\n
Message: audit(1121777713.529:3766705): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfdab780 a2=80510f8 a3=0 items=0 pid=16385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/a
Message: audit(1121777713.529:3766705): saddr=100000000000000000000000\r\n
Message: audit(1121777713.529:3766705): nargs=6 a0=3 a1=bfdad8dc a2=10 a3=0 a4=bfdafa78 a5=c\r\n
Message: audit(1121777713.630:3766725): SELinux: unrecognized netlink message type=1009 for sclass=49\r\n
Message: audit(1121777713.630:3766725): arch=40000003 syscall=102 success=no exit=-22 a0=b a1=bfdab760 a2=80510f8 a3=0 items=0 pid=16385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="auditctl" exe="/sbin/a
Message: audit(1121777713.630:3766725): saddr=100000000000000000000000 \r\n
Message: ---------------------- Selinux Audit End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Init Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: \r\n
Message: Re-execs of init: 1 times\r\n
Message: \r\n
Message: ---------------------- Init End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Kernel Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: WARNING: Kernel Errors Present\r\n
Message: Buffer I/O error on device fd0, l...: 5 Time(s)\r\n
Message: end_request: I/O error, dev fd0, sector...: 11 Time(s)\r\n
Message: lost page write due to I/O error on fd0...: 5 Time(s)\r\n
Message: \r\n
Message: ---------------------- Kernel End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- pam_unix Begin ------------------------ \r\n
Message: \r\n
Message: gdm:\r\n
Message: Authentication Failures:\r\n
Message: rhost= : 1 Time(s)\r\n
Message: Unknown Entries:\r\n
Message: check pass; user unknown: 1 Time(s)\r\n
Message: \r\n
Message: \r\n
Message: ---------------------- pam_unix End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Connections (secure-log) Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: **Unmatched Entries**\r\n
Message: userhelper[9813]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9816]: running '/usr/share/system-config-securitylevel/system-config-securitylevel.py' with root privileges on behalf of 'root'\r\n
Message: userhelper[9838]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9841]: running '/usr/sbin/system-config-network' with root privileges on behalf of 'root'\r\n
Message: userhelper[9884]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9887]: running '/usr/sbin/system-config-services' with root privileges on behalf of 'root'\r\n
Message: userhelper[9923]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9926]: running '/usr/sbin/internet-druid' with root privileges on behalf of 'root'\r\n
Message: userhelper[9966]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9969]: running '/usr/sbin/system-config-network ' with root privileges on behalf of 'root'\r\n
Message: userhelper[9999]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10002]: running '/usr/sbin/up2date' with root privileges on behalf of 'root'\r\n
Message: userhelper[9059]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[9062]: running '/usr/sbin/system-install-packages /root/Desktop/skype-1.1.0.20-fc3.i586.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10092]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10095]: running '/usr/sbin/system-install-packages /tmp/Bastille-3.0.6-1.0.noarch.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10127]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10130]: running '/usr/sbin/system-install-packages /root/Desktop/Bastille-3.0.6-1.0.noarch.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10195]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10198]: running '/usr/sbin/system-install-packages /tmp/perl-Tk-804.027-1.1.fc3.rf.i386.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10202]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10205]: running '/usr/sbin/system-install-packages //tmp/perl-Tk-804.027-1.1.fc3.rf.i386.rpm' with root privileges on behalf of 'root'\r\n
Message: userhelper[10241]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10244]: running '/usr/sbin/system-config-packages' with root privileges on behalf of 'root'\r\n
Message: userhelper[10358]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10361]: running '/usr/share/system-config-display/system-config-display' with root privileges on behalf of 'root'\r\n
Message: userhelper[10374]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[10377]: running '/usr/share/system-config-display/system-config-display' with root privileges on behalf of 'root'\r\n
Message: userhelper[3888]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'\r\n
Message: userhelper[3891]: running '/usr/sbin/system-config-network' with root privileges on behalf of 'root'\r\n
Message: userhelper[4305]: pam_timestamp: updated timestamp file `/var/run/sudo/user_1/unknown:root'\r\n
Message: userhelper[4310]: running '/usr/share/system-config-rootpassword/system-config-rootpassword' with root privileges on behalf of 'user_1'\r\n
Message: \r\n
Message: ---------------------- Connections (secure-log) End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- SSHD Begin ------------------------ \r\n
Message: \r\n
Message: \r\n
Message: SSHD Killed: 3 Time(s)\r\n
Message: \r\n
Message: SSHD Started: 4 Time(s)\r\n
Message: \r\n
Message: Failed to bind:\r\n
Message: 0.0.0.0 port 22 (Address already in use) : 4 Time(s)\r\n
Message: \r\n
Message: ---------------------- SSHD End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: --------------------- Disk Space Begin ------------------------ \r\n
Message: \r\n
Message: /dev/shm 121M 0 121M 0% /dev/shm\r\n
Message: /dev/hda2 99M 14M 80M 15% /boot\r\n
Message: /dev/mapper/VolGroup00-LogVol00 72G 13G 56G 19% /\r\n
Message: \r\n
Message: \r\n
Message: ---------------------- Disk Space End ------------------------- \r\n
Message: \r\n
Message: \r\n
Message: ###################### LogWatch End ######################### \r\n
Message: \r\n
Message: \r\n
Message: .\r\n
----------------------
 
Old 07-20-2005, 09:26 AM   #2
mhallbiai
Member
 
Registered: Jun 2005
Posts: 96

Rep: Reputation: 15
it is part of internal mail, logwatch creates a report (nightly -by default) and sends it to the local root user (unless another user has been configured)

hope this helps
 
Old 07-20-2005, 05:04 PM   #3
tom_from_van
Member
 
Registered: Jul 2005
Posts: 50

Original Poster
Rep: Reputation: 15
Thumbs up

Yes --- very helpfull, thankyou. Issue resolved.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
conversation logs in Gaim 1.4.0 ParticleHunter Linux - Software 2 08-03-2005 11:13 AM
What is the best way to view data captured in packets with Ethereal? abefroman Linux - Security 4 05-07-2005 01:30 PM
captured packet in ethereal anubhuti_k Linux - Networking 1 01-14-2005 06:31 AM
Saddam Captured!! 320mb General 117 12-21-2003 05:51 AM
Linux conversation...thats a crap title, i know :) log Linux - General 11 08-11-2003 10:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration