Find the answer to your Linux question:
Results 1 to 10 of 10
For about the last month I've been seeing this warning in my logwatch daily report: WARNING!!!! Possible Attack: Attempt from [219.137.161.208] with: command=HELO/EHLO, count=3: 1 Time(s) Attempt from ant-97.ug2.dp.ukrtel.net [82.207.10.97] ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2006
    Posts
    11

    Logwatch: WARNING!!!! Possible Attack


    For about the last month I've been seeing this warning in my logwatch daily report:

    WARNING!!!! Possible Attack:
    Attempt from [219.137.161.208] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Attempt from ant-97.ug2.dp.ukrtel.net [82.207.10.97] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Attempt from bzq-82-81-168-54.red.bezeqint.net [82.81.168.54] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Attempt from rrcs-64-183-250-7.sw.biz.rr.com [64.183.250.7] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Total: 4 Time(s)

    Is there a cause for concern? Is there something I should do?

    Thanks in advance
    Usagi

  2. #2
    Just Joined! forgottentq's Avatar
    Join Date
    Jun 2006
    Location
    Virginia at the moment.
    Posts
    46
    I don't know what kind of network your running, or where that log might be come from.. but it looks like OSPF Hello packets to me. You have any large network switches? Or a router that uses OSPF services?

  3. #3
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    The first IP address gave the following results on a whois search,
    inetnum: 219.128.0.0 - 219.137.255.255
    netname: CHINANET-GD
    descr: CHINANET Guangdong province network
    descr: Data Communication Division
    descr: China Telecom
    country: CN
    admin-c: CH93-AP
    tech-c: IC83-AP
    mnt-by: MAINT-CHINANET
    mnt-lower: MAINT-CHINANET-GD
    status: ALLOCATED NON-PORTABLE
    changed: hostmaster@ns.chinanet.cn.net 20020424
    changed: hm-changed@apnic.net 20041207
    source: APNIC

    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    e-mail: anti-spam@ns.chinanet.cn.net
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: lqing@chinatelecom.com.cn 20051212
    mnt-by: MAINT-CHINANET
    source: APNIC

    person: IPMASTER CHINANET-GD
    nic-hdl: IC83-AP
    e-mail: ipadm@gddc.com.cn
    address: NO.1,RO.DONGYUANHENG,YUEXIUNAN,GUANGZHOU
    phone: +86-20-83877223
    fax-no: +86-20-83877223
    country: CN
    changed: ipadm@gddc.com.cn 20040902
    mnt-by: MAINT-CHINANET-GD
    remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn
    source: APNIC
    In other words, some ******* in china was trying to crack your network and you should send email to abuse@gddc.com.cn to let them know.

    Do some more whois searches on the other IP addresses (google "arin whois") to find out who they are and send nasty emails to their ISPs!!

    What sort of network are you running?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  4. #4
    Just Joined!
    Join Date
    May 2006
    Posts
    11
    I initially checked IP's and I've suspected that these people were trying to break into my server. The thing that I find strange is that I've operated this server for a few years and never got this in my logwatch. It was sudden and it's not just one person trying. The IP's are from several different places and each day more different ones appear. It's like spam. Once an email address gathering spider gets your email addy then you start getting junk from all over. I just don't understand why this would happen to sendmail, that people would try to break in through there. Maybe a new exploit was discovered and all the assholes who think they're wonderful if they can harm other people's computers, or script-kiddies read about the exploit somewhere are are targetting people.

    Since the people trying to break in are different each day and I once tried to contact ISP's in Korea who don't give a damned what their users do, I don't think it would help to complain to ISP's. This probably has a single source, reason for happening that is quite likely irreversable. I guess what concerns me is if there is any chance that they might be able toi break in and if so, what I need to do to my server to make sure they can't.

    I'm not sure what you mean about network. I have rented a dedicated server from hosting companies for years. The one I have now is in minnesota. It's a Linux Fedora core 4 1.6 Ghz, 512 Meg RAM, 30 Gig HD. It is connected to the internet through the hosting co's network. Maybe I should ask the hosting co?

    Thanks in advance for any help
    Usagi

  5. #5
    Just Joined!
    Join Date
    Nov 2006
    Posts
    1
    What version of sendmail are you running?

  6. #6
    Just Joined!
    Join Date
    May 2006
    Posts
    11
    Sendmail 8.13.7

  7. #7
    Just Joined!
    Join Date
    Dec 2003
    Location
    Greece
    Posts
    43

    Sendmail 8.13.4-3

    Usagi, did you sort out this?
    I'm having troubles with same problem here.

    Cheers

  8. #8
    Just Joined!
    Join Date
    May 2006
    Posts
    11
    No.

    I'm disappointed. I CAN'T be the only person who has ever seen this...

  9. #9
    Linux Enthusiast likwid's Avatar
    Join Date
    Dec 2006
    Location
    MA
    Posts
    649
    Calm down probably bots targeting your smtp server to see if they can relay and send spam. Not much you can do except make sure your **** is tight. Especially with sendmail you want to keep up with patches.

  10. #10
    Just Joined!
    Join Date
    May 2006
    Posts
    11
    Although I've been running a dedicated server for... 4 years? I spend most of my time programming in PHP so I'm not a linux guru. I handle the server mostly with Webmin. I have used http://www.abuse.net/relay.html to check to be sure I don't have an open relay and according to the tests, I'm fine.

    The concern was that this happened suddenly and that it's not a single bot either. I tracked a few and they are from many different countries.

    I suppose you're right. Apparently there are now bots out there looking for open relays and apparently these are increasing in number and aggressiveness.

    Thanks for your help

    Usagi

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •