Very Computer

Hello:

    On my RH 7.2 (updated) in /var/log/secure I am seeing a few entries that
I don't understand.  First I'm curious about this one:

Feb 28 16:43:34 foobar xinetd[916]: START: sgi_fam pid=1408 from=0.0.0.0

    ...this one occurs occasionally.  I ask, as my cable / DSL router seems
to be seeing occasional traffic from "some IP," port 53 (DNS) to 0.0.0.0
port "whatever".  The times don't match-up that well, though...

     Another is this from sshd:

Feb 28 14:43:18 foobar sshd[902]: Received signal 15; terminating.
Feb 28 14:45:42 foobar sshd[906]: Server listening on 192.168.1.101 port 22.

    .101 is my the servers' IP.  This one occurs every few minutes.  Is this
a mis-configuration?  What is this newbie doing so wrongly!?!?!?  :)

     Thanks for your time...

-J

< Joe

Quote:>    On my RH 7.2 (updated) in /var/log/secure I am seeing a few entries that
>I don't understand.  First I'm curious about this one:

>Feb 28 16:43:34 foobar xinetd[916]: START: sgi_fam pid=1408 from=0.0.0.0

Source IP "0.0.0.0/8" mean "historical local broadcast address". I
don't know "sgi_fam". Do you have 'sgi_fam' in your xinetd conf.?
Please try;

grep -in sgi_fam /etc/* 2>/dev/null
locate /sgi_fam
find / -type f -name sgi_fam
grep '0\.0\.0\.0'   /etc/hosts
grep '127\.0\.0\.1' /etc/hosts
nslookup 0.0.0.0
nslookup 127.0.0.1
nslookup localhost
ping -v -c 1            0.0.0.0
/usr/sbin/traceroute -v 0.0.0.0

Quote:>    ...this one occurs occasionally.  I ask, as my cable / DSL router seems
>to be seeing occasional traffic from "some IP," port 53 (DNS) to 0.0.0.0
>port "whatever".  The times don't match-up that well, though...

Again, destination IP "0.0.0.0/8" mean broadcast address. Most
stateless firewall (example: ipchains) pass through source port
53 (DNS) packets. Perhaps someone in some IP scaned your local
machines. Or "some IP" is target and your boxes are amplifier
and your boxes attacked "some IP" (fraggle). I'd like to know
more detailed logs, frequency and rate. UDP/TCP,...

I think both you and your upper stream ISP mis-configured. If you
droped this packets already and only just logged, I think no problem.
If not, you should filter out broadcast addresses 0.0.0.0/8 and
255.255.255.255/32 in/outbound at your border router and firewall.

Quote:>     Another is this from sshd:

>Feb 28 14:43:18 foobar sshd[902]: Received signal 15; terminating.

            2:24 seconds      +4 processes

Quote:>Feb 28 14:45:42 foobar sshd[906]: Server listening on 192.168.1.101 port 22.

>    .101 is my the servers' IP.  This one occurs every few minutes.  Is this
>a mis-configuration?  What is this newbie doing so wrongly!?!?!?  :)

"signal 15" mean "SIGTERM: termination signal" and SIGTERM is default
of `kill` command. If `/etc/rc.d/init.d/sshd restart`, time is too past
2:24 (2 minutes 24 seconds). It looks like you, another someone or some
process who have root privilege stopped sshd `killproc sshd` and restarted
sshd `daemon sshd`. Perhaps you mis-configure cron or someone tampered
cron configuration. If someone tampered, this is security problem. If
you mis-configured, this is comp.os.linux.setup topic.

Quote:>     Thanks for your time...

Welcome.

--
HTH, RainbowHat. http://www.tuxedo.org/~esr/faqs/smart-questions.html
Be precise and informative about your problem
----+----1----+----2----+----3----+----4----+----5----+----6----+----7

   Let me guess, you've installed KDE desktop.  Redhat in their
"infinite wisdom", has decided to make portmap (Hello Lion, hello Ramen)
and sgi_fam run "to speed up" KDE desktop.  Maybe it's time for the head
honcho at Redhat to send an email to his staff, telling them to put
security ahead of features.

Quote:>      ...this one occurs occasionally.  I ask, as my cable / DSL
>  router seems to be seeing occasional traffic from "some IP,"
>  port 53 (DNS) to 0.0.0.0 port "whatever".  The times don't
>  match-up that well, though...

   Looks like a DNS response.  Is the "some IP" your ISP's DNS server ?
If so, nothing to worry about.

Quote:>       Another is this from sshd:

>  Feb 28 14:43:18 foobar sshd[902]: Received signal 15; terminating.
>  Feb 28 14:45:42 foobar sshd[906]: Server listening on 192.168.1.101 port 22.

>      .101 is my the servers' IP.  This one occurs every few minutes.
>  Is this a mis-configuration?  What is this newbie doing so
>  wrongly!?!?!?  :)

   You appear to be running sshd.  Did you intend to do so ?  In order
to see what servers you're running, log in as root, and execute...

netstat -tupan > x

   and post the output captured to file x.  We can go from there.

--


have $1.30.  If you had purchased $1000 of beer in 1999, today you
would still have $59 in empty cans.

Hi, just my two cents worth......

SGI_FAM is a service run to support/help KDE.

The "some IP" is coming off your local cable provider WAN, most likely your
neighbor on the same cable.

The SSHD is the SSH service getting tired of listening and re-starting.

If there is any *real* concern over having the box compromised, d/l
chkrootkit, load it up and run it.

HTH,

Tech