Help analyzing log file /var/log/messages on RH 5.1

Help analyzing log file /var/log/messages on RH 5.1

Post by Mohamed Hendaw » Thu, 22 Oct 1998 04:00:00



Here is an excerpt from my /var/log/messages on RedHat 5.1.  This looks
suspicious to me, but I'm not sure what to do.  Should I just delete the
user news from /etc/passwd?  In general, what are all of these standard
users that are setup by default on a RH 5.1 system (e.g.  daemon, adm,
sync, games, etc..) - where can I find out more about this?  Thanks very
much,

-Moe

Oct 18 04:02:46 24 syslogd 1.3-3: restart.
Oct 18 04:02:46 24 syslogd 1.3-3: restart.
Oct 18 04:02:46 24 syslogd 1.3-3: restart.
Oct 18 04:02:48 24 PAM_pwdb[27810]: (su) session opened for user nobody
by (uid=
99)
Oct 18 04:04:50 24 PAM_pwdb[27810]: (su) session closed for user nobody
Oct 18 05:01:01 24 PAM_pwdb[28020]: (su) session opened for user news by
(uid=9)
Oct 18 05:01:05 24 PAM_pwdb[28020]: (su) session closed for user news
Oct 18 06:01:01 24 PAM_pwdb[28121]: (su) session opened for user news by
(uid=9)
Oct 18 06:01:03 24 PAM_pwdb[28121]: (su) session closed for user news
Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
incomplete mul
tibyte or wide character
Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
incomplete mul
tibyte or wide character
Oct 18 07:01:00 24 PAM_pwdb[28224]: (su) session opened for user news by
(uid=9)
Oct 18 07:01:03 24 PAM_pwdb[28224]: (su) session closed for user news
Oct 18 08:01:01 24 PAM_pwdb[28325]: (su) session opened for user news by
(uid=9)
Oct 18 08:01:04 24 PAM_pwdb[28325]: (su) session closed for user news
Oct 18 09:01:00 24 PAM_pwdb[28426]: (su) session opened for user news by
(uid=9)
Oct 18 09:01:02 24 PAM_pwdb[28426]: (su) session closed for user news
Oct 18 10:01:00 24 PAM_pwdb[28527]: (su) session opened for user news by
(uid=9)
Oct 18 10:01:02 24 PAM_pwdb[28527]: (su) session closed for user news
Oct 18 11:01:01 24 PAM_pwdb[28628]: (su) session opened for user news by
(uid=9)
Oct 18 11:01:03 24 PAM_pwdb[28628]: (su) session closed for user news
Oct 18 12:01:01 24 PAM_pwdb[28799]: (su) session opened for user news by
(uid=9)
Oct 18 12:01:05 24 PAM_pwdb[28799]: (su) session closed for user news

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Pat Hennes » Thu, 22 Oct 1998 04:00:00


heh, my guess is that is your daily system cron jobs running...

: Here is an excerpt from my /var/log/messages on RedHat 5.1.  This looks
: suspicious to me, but I'm not sure what to do.  Should I just delete the
: user news from /etc/passwd?  In general, what are all of these standard
: users that are setup by default on a RH 5.1 system (e.g.  daemon, adm,
: sync, games, etc..) - where can I find out more about this?  Thanks very
: much,
:
: -Moe
:
:
: Oct 18 04:02:46 24 syslogd 1.3-3: restart.
: Oct 18 04:02:46 24 syslogd 1.3-3: restart.
: Oct 18 04:02:46 24 syslogd 1.3-3: restart.
these are most likely after logrotate is done
it needs to restart syslogd so that it gets the new file descriptors

: Oct 18 04:02:48 24 PAM_pwdb[27810]: (su) session opened for user nobody
: by (uid=
: 99)
: Oct 18 04:04:50 24 PAM_pwdb[27810]: (su) session closed for user nobody
these are from the updatedb cron job.  It makes a list of all the files on
your machine in directories which are readable by nobody

if this ran as root, the people could use the "locate" command to see what
any other user has in their directories.

: Oct 18 05:01:01 24 PAM_pwdb[28020]: (su) session opened for user news by
: (uid=9)
: Oct 18 05:01:05 24 PAM_pwdb[28020]: (su) session closed for user news
: Oct 18 06:01:01 24 PAM_pwdb[28121]: (su) session opened for user news by
: (uid=9)
: Oct 18 06:01:03 24 PAM_pwdb[28121]: (su) session closed for user news
this is probably used by innd for some daily job.  If you are not using
your machine as a news server, i would turn this off

: Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
: incomplete mul
: tibyte or wide character
: Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
: incomplete mul
: tibyte or wide character
not sure what those are

: Oct 18 07:01:00 24 PAM_pwdb[28224]: (su) session opened for user news by
: (uid=9)
: Oct 18 07:01:03 24 PAM_pwdb[28224]: (su) session closed for user news
: Oct 18 08:01:01 24 PAM_pwdb[28325]: (su) session opened for user news by
: (uid=9)
: Oct 18 08:01:04 24 PAM_pwdb[28325]: (su) session closed for user news
: Oct 18 09:01:00 24 PAM_pwdb[28426]: (su) session opened for user news by
: (uid=9)
: Oct 18 09:01:02 24 PAM_pwdb[28426]: (su) session closed for user news
: Oct 18 10:01:00 24 PAM_pwdb[28527]: (su) session opened for user news by
: (uid=9)
: Oct 18 10:01:02 24 PAM_pwdb[28527]: (su) session closed for user news
: Oct 18 11:01:01 24 PAM_pwdb[28628]: (su) session opened for user news by
: (uid=9)
: Oct 18 11:01:03 24 PAM_pwdb[28628]: (su) session closed for user news
: Oct 18 12:01:01 24 PAM_pwdb[28799]: (su) session opened for user news by
: (uid=9)
: Oct 18 12:01:05 24 PAM_pwdb[28799]: (su) session closed for user news
more news jobs probably by innd

--

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><


                        http://www.magpage.com/~path/

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><


 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by ShadowPh » Fri, 23 Oct 1998 04:00:00


-----BEGIN PGP SIGNED MESSAGE-----


// : Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
// : incomplete mul
// : tibyte or wide character
// : Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
// : incomplete mul
// : tibyte or wide character
// not sure what those are
//

This could be an indication of a portscan, or a raw connection to the
telnet service. what the error means i think is that the peer did not
give a valid WILL or WONT reply.

Shadow
DolphinParadise Administrator

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use <http://www.pgp.com>
Charset: noconv

iQCVAwUBNi9ZUcuvl35vZGDdAQHgNAP+L8l9jPxz0hV2TJ1p/XjHGd1Epg3XTHuc
Ujvh3AC6xFdCbk7PbaoRVFNOuClGmnEL06JBFowtIn3h7Kw0Wm/vlyNe/6wOV9Pl
2zzDapNZjkcM5TdvIuIzjdj1AJVvKei+6hGDCMTkPhXUUp6oyDDW4Sqig39S5NwC
6rHgM2deZ+c=
=zfsd
-----END PGP SIGNATURE-----

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Olaf Schre » Fri, 23 Oct 1998 04:00:00



Quote:>Here is an excerpt from my /var/log/messages on RedHat 5.1.  This looks
>suspicious to me,

No.  That's an hourly cron job for the news system, see /etc/crontab and
/etc/cron.hourly/*

Quote:>but I'm not sure what to do.  Should I just delete the
>user news from /etc/passwd?  

NO.  These system users have an impossible default password anyway.

Quote:>In general, what are all of these standard
>users that are setup by default on a RH 5.1 system (e.g.  daemon, adm,
>sync, games, etc..) - where can I find out more about this?

Get a book on Unix system administration.  Sorry, can't recommend a
specific one.

ciao,
chakl
--

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Mohamed Hendaw » Fri, 23 Oct 1998 04:00:00


Thanks for the response.  I was wondering what all of those news
processes were.  Sheesh..  I didn't ask for a news server (inn) to be
installed when I was setting things up.  Time to nuke that.  I did an
"rpm -e inn" to remove it.  I assume I can just remove the "news" user
as well.  What about some of these other stock users like "adm",
"daemon", etc..

* Is there any official documentation explaining why these users are
defined and if I can delete them?

-Moe


> heh, my guess is that is your daily system cron jobs running...


> : Here is an excerpt from my /var/log/messages on RedHat 5.1.  This looks
> : suspicious to me, but I'm not sure what to do.  Should I just delete the
> : user news from /etc/passwd?  In general, what are all of these standard
> : users that are setup by default on a RH 5.1 system (e.g.  daemon, adm,
> : sync, games, etc..) - where can I find out more about this?  Thanks very
> : much,
> :
> : -Moe
> :
> :
> : Oct 18 04:02:46 24 syslogd 1.3-3: restart.
> : Oct 18 04:02:46 24 syslogd 1.3-3: restart.
> : Oct 18 04:02:46 24 syslogd 1.3-3: restart.
> these are most likely after logrotate is done
> it needs to restart syslogd so that it gets the new file descriptors

> : Oct 18 04:02:48 24 PAM_pwdb[27810]: (su) session opened for user nobody
> : by (uid=
> : 99)
> : Oct 18 04:04:50 24 PAM_pwdb[27810]: (su) session closed for user nobody
> these are from the updatedb cron job.  It makes a list of all the files on
> your machine in directories which are readable by nobody

> if this ran as root, the people could use the "locate" command to see what
> any other user has in their directories.

> : Oct 18 05:01:01 24 PAM_pwdb[28020]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 05:01:05 24 PAM_pwdb[28020]: (su) session closed for user news
> : Oct 18 06:01:01 24 PAM_pwdb[28121]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 06:01:03 24 PAM_pwdb[28121]: (su) session closed for user news
> this is probably used by innd for some daily job.  If you are not using
> your machine as a news server, i would turn this off

> : Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
> : incomplete mul
> : tibyte or wide character
> : Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
> : incomplete mul
> : tibyte or wide character
> not sure what those are

> : Oct 18 07:01:00 24 PAM_pwdb[28224]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 07:01:03 24 PAM_pwdb[28224]: (su) session closed for user news
> : Oct 18 08:01:01 24 PAM_pwdb[28325]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 08:01:04 24 PAM_pwdb[28325]: (su) session closed for user news
> : Oct 18 09:01:00 24 PAM_pwdb[28426]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 09:01:02 24 PAM_pwdb[28426]: (su) session closed for user news
> : Oct 18 10:01:00 24 PAM_pwdb[28527]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 10:01:02 24 PAM_pwdb[28527]: (su) session closed for user news
> : Oct 18 11:01:01 24 PAM_pwdb[28628]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 11:01:03 24 PAM_pwdb[28628]: (su) session closed for user news
> : Oct 18 12:01:01 24 PAM_pwdb[28799]: (su) session opened for user news by
> : (uid=9)
> : Oct 18 12:01:05 24 PAM_pwdb[28799]: (su) session closed for user news
> more news jobs probably by innd

> --
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><

>                         http://www.magpage.com/~path/
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by voi » Sat, 24 Oct 1998 04:00:00



Quote:

>Get a book on Unix system administration.  Sorry, can't recommend a
>specific one.

I can.  UNIX System Administration Handbook, by Nemeth et al., commonly
referred to as 'the Red Book'

--

 Ben

"You have your mind on computers, it seems."

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Jouni Ar » Sat, 24 Oct 1998 04:00:00





> // : Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
> // : incomplete mul
> // : tibyte or wide character
> // : Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
> // : incomplete mul
> // : tibyte or wide character
> // not sure what those are
> //

> This could be an indication of a portscan, or a raw connection to the
> telnet service. what the error means i think is that the peer did not
> give a valid WILL or WONT reply.

I noticed a similar entry 8 hours before a crack...  The cracker used
a security hole in imap, check

ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop

to be sure you don't have a too old version (supplied with RH 5.0, at
least).

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Pat Hennes » Sat, 24 Oct 1998 04:00:00


:

: >
: >
: > // : Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
: > // : incomplete mul
: > // : tibyte or wide character
: > // : Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
: > // : incomplete mul
: > // : tibyte or wide character
: > // not sure what those are
: > //
: >
: > This could be an indication of a portscan, or a raw connection to the
: > telnet service. what the error means i think is that the peer did not
: > give a valid WILL or WONT reply.
:
: I noticed a similar entry 8 hours before a crack...  The cracker used
: a security hole in imap, check
:
: ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
:
: to be sure you don't have a too old version (supplied with RH 5.0, at
: least).

I should check the earlier posts, but I believe it could not start the imap daemon,
which was one of the log messages.  He definitly needs to tighten his security.
Disable telnet, rsh, rlogin, ftp, mountd, nfsd, pop-3, and proably some more.  Go
through your /etc/inetd.conf and disable everything.  Then go through your /etc/rc.d
directories and disable everything that starts a daemon that excepts remote requests.
If you don't know what the service is, check it out.  There are plenty of man pages.
Once you have everything turned off, you will figure out what you need and what you
don't need.  If you are going to remotely connect to your system, get ssh!!!!

You can use ssh to get a remote shell over an encrypted connection.  You can also use
it to copy files (encrypted).  I believe there are rpms at ftp.replay.com.

I agree with the others, you need to get a book that covers unix security.  

Lock that machine down!

--

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><


                        http://www.magpage.com/~path/

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Mohamed Hendaw » Sat, 24 Oct 1998 04:00:00


Yes.  I have turned off pretty much everything in inetd.conf.  I now
have
telnet, ftp, shell, login, and auth running.  I looked into getting ssh
working to replace telnet and ftp, but I couldn't find a free
implementation for Windows (I have a need to remotely access my server
from both UNIX and Windows machines), so I gave up on that for now.  I
remember using a system called SKEY once (one-time passwords) as well,
but couldn't find satisfactory info on using that on Linux.  

I have also managed to disable any superflous daemons from running as
per your suggestions.  My next step is to look into getting SSH or
something similar to work.  

I am also planning on setting up /etc/hosts.deny and /etc/hosts.allow.
However I am afraid this will prevent me from serving up web pages to
the general public.  Any comments on this?

-Moe




> :


> : >
> : >
> : > // : Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
> : > // : incomplete mul
> : > // : tibyte or wide character
> : > // : Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
> : > // : incomplete mul
> : > // : tibyte or wide character
> : > // not sure what those are
> : > //
> : >
> : > This could be an indication of a portscan, or a raw connection to the
> : > telnet service. what the error means i think is that the peer did not
> : > give a valid WILL or WONT reply.
> :
> : I noticed a similar entry 8 hours before a crack...  The cracker used
> : a security hole in imap, check
> :
> : ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
> :
> : to be sure you don't have a too old version (supplied with RH 5.0, at
> : least).

> I should check the earlier posts, but I believe it could not start the imap daemon,
> which was one of the log messages.  He definitly needs to tighten his security.
> Disable telnet, rsh, rlogin, ftp, mountd, nfsd, pop-3, and proably some more.  Go
> through your /etc/inetd.conf and disable everything.  Then go through your /etc/rc.d
> directories and disable everything that starts a daemon that excepts remote requests.
> If you don't know what the service is, check it out.  There are plenty of man pages.
> Once you have everything turned off, you will figure out what you need and what you
> don't need.  If you are going to remotely connect to your system, get ssh!!!!

> You can use ssh to get a remote shell over an encrypted connection.  You can also use
> it to copy files (encrypted).  I believe there are rpms at ftp.replay.com.

> I agree with the others, you need to get a book that covers unix security.

> Lock that machine down!

> --
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><

>                         http://www.magpage.com/~path/
> ><><><><><><><><><><><><><><><><><><><><><><><><><><><><

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Pat Hennes » Sun, 25 Oct 1998 04:00:00


Check out Tera Term with SSH extensions...

http://www.zip.com.au/~roca/ttssh.html

It's free too, another good one is secure crt.  That costs money though.

: Yes.  I have turned off pretty much everything in inetd.conf.  I now
: have
: telnet, ftp, shell, login, and auth running.  I looked into getting ssh
: working to replace telnet and ftp, but I couldn't find a free
: implementation for Windows (I have a need to remotely access my server
: from both UNIX and Windows machines), so I gave up on that for now.  I
: remember using a system called SKEY once (one-time passwords) as well,
: but couldn't find satisfactory info on using that on Linux.  
:
: I have also managed to disable any superflous daemons from running as
: per your suggestions.  My next step is to look into getting SSH or
: something similar to work.  
:
: I am also planning on setting up /etc/hosts.deny and /etc/hosts.allow.
: However I am afraid this will prevent me from serving up web pages to
: the general public.  Any comments on this?
:
: -Moe
:
:
: >


: > :


: > : >
: > : >
: > : > // : Oct 18 06:46:06 24 telnetd[28202]: ttloop:  peer died: Invalid or
: > : > // : incomplete mul
: > : > // : tibyte or wide character
: > : > // : Oct 18 06:47:45 24 telnetd[28204]: ttloop:  peer died: Invalid or
: > : > // : incomplete mul
: > : > // : tibyte or wide character
: > : > // not sure what those are
: > : > //
: > : >
: > : > This could be an indication of a portscan, or a raw connection to the
: > : > telnet service. what the error means i think is that the peer did not
: > : > give a valid WILL or WONT reply.
: > :
: > : I noticed a similar entry 8 hours before a crack...  The cracker used
: > : a security hole in imap, check
: > :
: > : ftp://info.cert.org/pub/cert_advisories/CA-97.09.imap_pop
: > :
: > : to be sure you don't have a too old version (supplied with RH 5.0, at
: > : least).
: >
: > I should check the earlier posts, but I believe it could not start the imap daemon,
: > which was one of the log messages.  He definitly needs to tighten his security.
: > Disable telnet, rsh, rlogin, ftp, mountd, nfsd, pop-3, and proably some more.  Go
: > through your /etc/inetd.conf and disable everything.  Then go through your /etc/rc.d
: > directories and disable everything that starts a daemon that excepts remote requests.
: > If you don't know what the service is, check it out.  There are plenty of man pages.
: > Once you have everything turned off, you will figure out what you need and what you
: > don't need.  If you are going to remotely connect to your system, get ssh!!!!
: >
: > You can use ssh to get a remote shell over an encrypted connection.  You can also use
: > it to copy files (encrypted).  I believe there are rpms at ftp.replay.com.
: >
: > I agree with the others, you need to get a book that covers unix security.
: >
: > Lock that machine down!
: >
: > --
: > ><><><><><><><><><><><><><><><><><><><><><><><><><><><><

: >
: >                         http://www.magpage.com/~path/
: > ><><><><><><><><><><><><><><><><><><><><><><><><><><><><

--

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><


                        http://www.magpage.com/~path/

Quote:><><><><><><><><><><><><><><><><><><><><><><><><><><><><

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by Patrick Mendoz » Tue, 27 Oct 1998 04:00:00


   <parts snipped>

Quote:> I am also planning on setting up /etc/hosts.deny and /etc/hosts.allow.
> However I am afraid this will prevent me from serving up web pages to
> the general public.  Any comments on this?

> -Moe

       In the /etc/hosts.allow file you can allow httpd for everyone
       with something like --->      httpd  :  all  :  all
       and put whatever services you want to log or deny access.

--

 Patrick Mendoza

 "I speak for myself and only
  for my sanity and not for maturity."

 
 
 

Help analyzing log file /var/log/messages on RH 5.1

Post by RĂ­khareur Egilss » Fri, 30 Oct 1998 04:00:00



>Yes.  I have turned off pretty much everything in inetd.conf.  I now
>have
>telnet, ftp, shell, login, and auth running.  I looked into getting ssh
>working to replace telnet and ftp, but I couldn't find a free
>implementation for Windows (I have a need to remotely access my server
>from both UNIX and Windows machines), so I gave up on that for now.

Have a look at :
http://www.zip.com.au/~roca/ttssh.html

it's free with source etc ....

Quote:>I am also planning on setting up /etc/hosts.deny and /etc/hosts.allow.
>However I am afraid this will prevent me from serving up web pages to
>the general public.  Any comments on this?

Just go ahead and do it, you will quickly realise how this works.
(And more important, how it doesn't )

--
 RIKHARDUR EGILSSON -  Ingnieur Systme
 Division Exploitation - Dpartement Hbergement/Connectique
 Direction Technique Internet/Intranet
 CEGETEL ENTREPRISES (Le Capitole, Nanterre)
 echo '[q]sa[ln0=aln80%Pln80/snlbx]16isb15CB32EF3AF9C0E5D7272C3AF4F2snlbxq'|dc

 
 
 

1. How large can /var/log/messages and /var/log/syslog get ?

My /var/log/messages is now over 3 meg, and my syslog is 200+ k. I'm
very curious how far is this going to go ?
Is there a way to restrict their sizes ?

cheers,
Hong Siang.
--
======================================================================
The sticker on the box said, "Windows 95, Windows NT 4.0, or better."
So I installed Linux.
======================================================================
Teo Hong Siang                                   Tel (H): (65)746 2598
Manager, DTG Development Office                      (O): (65)772 7114

2. cronjob failure newbie question

3. How to close /var/log/syslog and /var/log/messages..

4. HELP- PPP is not available on this machine

5. Help on a log of /var/log/messages

6. where to find bsd cd's for cheap?

7. creating different syslog file /var/log/syslog.0 /var/log/syslog.1...

8. Computer media need ethical overhaul

9. analysing var/log/messages

10. Help with log files on /var/log/*

11. How to read(/var/log)log files HELP!!

12. ATAPI cd-rom creates many, many logs in /var/log/messages

13. /var/log/messages with size of 0 and no logs are written !?