Find the answer to your Linux question:
Results 1 to 10 of 10
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Logwatch: WARNING!!!! Possible Attack

    For about the last month I've been seeing this warning in my logwatch daily report:

    WARNING!!!! Possible Attack:
    Attempt from [] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Attempt from [] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Attempt from [] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Attempt from [] with:
    command=HELO/EHLO, count=3: 1 Time(s)
    Total: 4 Time(s)

    Is there a cause for concern? Is there something I should do?

    Thanks in advance

  2. #2
    Just Joined! forgottentq's Avatar
    Join Date
    Jun 2006
    Virginia at the moment.
    I don't know what kind of network your running, or where that log might be come from.. but it looks like OSPF Hello packets to me. You have any large network switches? Or a router that uses OSPF services?

  3. #3
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    CA, but from N.Ireland
    The first IP address gave the following results on a whois search,
    inetnum: -
    netname: CHINANET-GD
    descr: CHINANET Guangdong province network
    descr: Data Communication Division
    descr: China Telecom
    country: CN
    admin-c: CH93-AP
    tech-c: IC83-AP
    mnt-by: MAINT-CHINANET
    mnt-lower: MAINT-CHINANET-GD
    changed: 20020424
    changed: 20041207
    source: APNIC

    person: Chinanet Hostmaster
    nic-hdl: CH93-AP
    address: No.31 ,jingrong street,beijing
    address: 100032
    phone: +86-10-58501724
    fax-no: +86-10-58501724
    country: CN
    changed: 20051212
    mnt-by: MAINT-CHINANET
    source: APNIC

    nic-hdl: IC83-AP
    phone: +86-20-83877223
    fax-no: +86-20-83877223
    country: CN
    changed: 20040902
    remarks: IPMASTER is not for spam complaint,please send spam complaint to
    source: APNIC
    In other words, some ******* in china was trying to crack your network and you should send email to to let them know.

    Do some more whois searches on the other IP addresses (google "arin whois") to find out who they are and send nasty emails to their ISPs!!

    What sort of network are you running?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  4. $spacer_open
  5. #4
    I initially checked IP's and I've suspected that these people were trying to break into my server. The thing that I find strange is that I've operated this server for a few years and never got this in my logwatch. It was sudden and it's not just one person trying. The IP's are from several different places and each day more different ones appear. It's like spam. Once an email address gathering spider gets your email addy then you start getting junk from all over. I just don't understand why this would happen to sendmail, that people would try to break in through there. Maybe a new exploit was discovered and all the assholes who think they're wonderful if they can harm other people's computers, or script-kiddies read about the exploit somewhere are are targetting people.

    Since the people trying to break in are different each day and I once tried to contact ISP's in Korea who don't give a damned what their users do, I don't think it would help to complain to ISP's. This probably has a single source, reason for happening that is quite likely irreversable. I guess what concerns me is if there is any chance that they might be able toi break in and if so, what I need to do to my server to make sure they can't.

    I'm not sure what you mean about network. I have rented a dedicated server from hosting companies for years. The one I have now is in minnesota. It's a Linux Fedora core 4 1.6 Ghz, 512 Meg RAM, 30 Gig HD. It is connected to the internet through the hosting co's network. Maybe I should ask the hosting co?

    Thanks in advance for any help

  6. #5
    What version of sendmail are you running?

  7. #6
    Sendmail 8.13.7

  8. #7
    Just Joined!
    Join Date
    Dec 2003

    Sendmail 8.13.4-3

    Usagi, did you sort out this?
    I'm having troubles with same problem here.


  9. #8

    I'm disappointed. I CAN'T be the only person who has ever seen this...

  10. #9
    Linux Enthusiast likwid's Avatar
    Join Date
    Dec 2006
    Calm down probably bots targeting your smtp server to see if they can relay and send spam. Not much you can do except make sure your **** is tight. Especially with sendmail you want to keep up with patches.

  11. #10
    Although I've been running a dedicated server for... 4 years? I spend most of my time programming in PHP so I'm not a linux guru. I handle the server mostly with Webmin. I have used to check to be sure I don't have an open relay and according to the tests, I'm fine.

    The concern was that this happened suddenly and that it's not a single bot either. I tracked a few and they are from many different countries.

    I suppose you're right. Apparently there are now bots out there looking for open relays and apparently these are increasing in number and aggressiveness.

    Thanks for your help


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts