I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s) ---------------------- SSHD End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /favicon.ico: 32 Time(s) /javascript/HM_Arrays.js: 1 Time(s) /javascript/HM_ScriptDOM.js: 1 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) ---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 3 Time(s) kde-np: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 2 Time(s) su: Sessions Opened: (uid=500) -> root: 3 Time(s) system-config-display: Unknown Entries: auth could not identify password for [root]: 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 403 Forbidden /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s) 404 Not Found /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s) /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s) /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s) /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /blog/xmlrpc.php: 2 Time(s) /blog/xmlsrv/xmlrpc.php: 2 Time(s) /blogs/xmlsrv/xmlrpc.php: 2 Time(s) /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /drupal/xmlrpc.php: 2 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s) /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /phpgroupware/xmlrpc.php: 2 Time(s) /wordpress/xmlrpc.php: 2 Time(s) /xmlrpc.php: 4 Time(s) /xmlrpc/xmlrpc.php: 2 Time(s) /xmlsrv/xmlrpc.php: 2 Time(s) ---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session closed for user dotancohen: 2 Time(s) session opened for user dotancohen by (uid=0): 1 Time(s) su: Sessions Opened: (uid=500) -> root: 3 Time(s) ---------------------- pam_unix End -------------------------
These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!
Dotan Cohen http://technology-sleuth.com/index.php %^
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
For the above, I would find out what kde-np is. What little Googling I did suggests it's a script that provides auto-login for some other application. Might not be anything to worry about. You're seeing it here because LogWatch hasn't been told to ignore it.
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
Smartd monitors the SMART status of your drives. Looks like LogWatch is just showing you that Smartd was terminated with a signal 15 once, and quit cleanly once, possibly on shutdown. For more info: $ man smartd
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
Can't see the entire lines above, but if your Apache server faces the Internet, take the appropriate precautions. It's not so much the 404's you want to monitor, it's the stuff that worked...the commands that actually executed, know what I mean?
/favicon.ico: 32 Time(s)
Easy, Google for favicon.ico
--------------------- httpd Begin ------------------------ Requests with error response codes 403 Forbidden /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
Someone, or 'somebot', doesn't have permission to access the file indicated.
These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!
Doesn't look like you have anything to panic about, but you have some research to do. :-)
HTH, Charles
On 1/1/06, Charles Howse chowse@charter.net wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
For the above, I would find out what kde-np is. What little Googling I did suggests it's a script that provides auto-login for some other application. Might not be anything to worry about. You're seeing it here because LogWatch hasn't been told to ignore it.
I also do not remember installing kde-np, or ever using it. As it seems to have to do with login, it MAY be becaue I logged out and then back in on that day? Not that I remember doing such.
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
Smartd monitors the SMART status of your drives. Looks like LogWatch is just showing you that Smartd was terminated with a signal 15 once, and quit cleanly once, possibly on shutdown. For more info: $ man smartd
I know what Smarts is- that's why I was worried. I have never gotten a message from it before. The $man calmed me down. I am sorry that I posted regarding this before consulting the $man.
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s)
Can't see the entire lines above, but if your Apache server faces the Internet, take the appropriate precautions. It's not so much the 404's you want to monitor, it's the stuff that worked...the commands that actually executed, know what I mean?
/favicon.ico: 32 Time(s)Easy, Google for favicon.ico
OK, so the 404's are alright- it means that nothing was served. That's right. They were just checking, I guess. As for the favicon, I know what that is. I should have snipped that part.
--------------------- httpd Begin ------------------------ Requests with error response codes 403 Forbidden /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
Someone, or 'somebot', doesn't have permission to access the file indicated.
These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!
Doesn't look like you have anything to panic about, but you have some research to do. :-)
HTH, Charles
Yes, much research. That's why there's google! Thank you very much.
Dotan Cohen http://technology-sleuth.com/question/what_is_hdtv.html ||
On 1/1/06, Charles Howse chowse@charter.net wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
For the above, I would find out what kde-np is. What little Googling I did suggests it's a script that provides auto-login for some other application. Might not be anything to worry about. You're seeing it here because LogWatch hasn't been told to ignore it.
I also do not remember installing kde-np, or ever using it. As it seems to have to do with login, it MAY be becaue I logged out and then back in on that day? Not that I remember doing such.
Further research indicates that kde-np is installed when you install kdebase, which are the core files for the K Desktop environment. Probably installed during FC4 installation, when you chose to install KDE.
Do you have your box configured to log you in automatically on startup? If I am not mistaken, kdm and kde-np provide autologin.
I found this by searching http://rpm.pbone.net for kde-np, which told me that it is provided my kdebase, then I searched http://google.com for "what is kde-np" (without the quotes), and found out about autologin on the second page, third hit. That hit has to do with FreeBSD, but it's the same file.
Yes, much research. That's why there's google! Thank you very much.
You're welcome. As they say, "Google is your friend!" :)
On 1/2/06, Charles Howse chowse@charter.net wrote:
On 1/1/06, Charles Howse chowse@charter.net wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
For the above, I would find out what kde-np is. What little Googling I did suggests it's a script that provides auto-login for some other application. Might not be anything to worry about. You're seeing it here because LogWatch hasn't been told to ignore it.
I also do not remember installing kde-np, or ever using it. As it seems to have to do with login, it MAY be becaue I logged out and then back in on that day? Not that I remember doing such.
Further research indicates that kde-np is installed when you install kdebase, which are the core files for the K Desktop environment. Probably installed during FC4 installation, when you chose to install KDE.
Yes, I found this out as well. So it is strange that I have never gotten this message before. Maybe the update to kde 3.5 had something to do with it.
Do you have your box configured to log you in automatically on startup? If I am not mistaken, kdm and kde-np provide autologin.
Yes, it does automatically log me in.
I found this by searching http://rpm.pbone.net for kde-np, which told me that it is provided my kdebase, then I searched http://google.com for "what is kde-np" (without the quotes), and found out about autologin on the second page, third hit. That hit has to do with FreeBSD, but it's the same file.
Hehe, I did almost the same query: I searched for "kde-np is" WITH the quotes. I aslo came across a FreeBSD page (actually a mailing list), but it gave me enough info to identigy kde-np and to realized that this is no concern.
Yes, much research. That's why there's google! Thank you very much.
You're welcome. As they say, "Google is your friend!" :)
Google most certainly is!
Dotan Cohen http://technology-sleuth.com/short_answer/what_is_hdtv.html ()
Dotan Cohen wrote:
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /favicon.ico: 32 Time(s) /javascript/HM_Arrays.js: 1 Time(s) /javascript/HM_ScriptDOM.js: 1 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) ---------------------- httpd End -------------------------
Here is a link for the favicons.ico: http://www.linuxproblem.org/art_19.html
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Hope this helps :) ~WILL~
On Sun, 2006-01-01 at 11:24 -0500, CodeHeads wrote:
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Um, no, Apache does not. Many *web* *browsers* look for favicon.ico.
Tim wrote:
On Sun, 2006-01-01 at 11:24 -0500, CodeHeads wrote:
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Um, no, Apache does not. Many *web* *browsers* look for favicon.ico.
OK, then why is it in the apache logs???? If it was browser based, then the 404 error would not be in the apache logs?????
~WILL~
CodeHeads:
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Tim:
Um, no, Apache does not. Many *web* *browsers* look for favicon.ico.
CodeHeads:
OK, then why is it in the apache logs???? If it was browser based, then the 404 error would not be in the apache logs?????
Because something accessed it, and the webserver logged it.
Typically, it's a web browser; but other things (the generic term is a user-agent) can also access the webserver, such as a local search engine or web statistics analyser. However, they generally only fetch things directly linked to in the pages, they don't generally make other requests. Though, if the pages have a link to the favicon file, it will be fetched unless deliberately configured not to.
The web server just sits there doing nothing unless something is asked of it. *It* doesn't look for files in your webspace directories. Even restarting your webserver is only going to cause the configuration file to be loaded, and the webserving home directories to be checked to see if they exist.
It's a common browser behaviour to check for /favicon.ico when looking at, or bookmarking, a website.
If a web author puts an explicit link in their pages to the favicon.ico then the browser will look for it on each of those pages (ending up with lots more favicon.ico requests), but the author's not likely to do that if they don't have such a file.
On Sun, 2006-01-01 at 19:39 -0500, CodeHeads wrote:
Tim wrote:
On Sun, 2006-01-01 at 11:24 -0500, CodeHeads wrote:
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Um, no, Apache does not. Many *web* *browsers* look for favicon.ico.
OK, then why is it in the apache logs???? If it was browser based, then the 404 error would not be in the apache logs?????
Dude, it's in the logs because the browser requests that file from the web server.
Florin Andrei wrote:
On Sun, 2006-01-01 at 19:39 -0500, CodeHeads wrote:
Tim wrote:
On Sun, 2006-01-01 at 11:24 -0500, CodeHeads wrote:
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Um, no, Apache does not. Many *web* *browsers* look for favicon.ico.
OK, then why is it in the apache logs???? If it was browser based, then the 404 error would not be in the apache logs?????
Dude, it's in the logs because the browser requests that file from the web server.
LOL, Geesh I need to get my head out of my @@@!!! I guess I drank too much beer!! LOL
Thanks for setting me straight!!
~WILL~
On Sun, 2006-01-01 at 19:39 -0500, CodeHeads wrote:
Tim wrote:
On Sun, 2006-01-01 at 11:24 -0500, CodeHeads wrote:
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Um, no, Apache does not. Many *web* *browsers* look for favicon.ico.
OK, then why is it in the apache logs???? If it was browser based, then the 404 error would not be in the apache logs?????
Will
Apache is the SERVER, and is running on that machine and logs what browsers are requesting from it.
When a browser requests favicon.ico it gets logged as a request, whether the file is served or not.
~WILL~
Jeff Vian wrote:
On Sun, 2006-01-01 at 19:39 -0500, CodeHeads wrote:
Tim wrote:
On Sun, 2006-01-01 at 11:24 -0500, CodeHeads wrote:
By default apache looks for the favicon.ico. If you do not have it in the doc root of the domain it will return an 404 error.
Um, no, Apache does not. Many *web* *browsers* look for favicon.ico.
OK, then why is it in the apache logs???? If it was browser based, then the 404 error would not be in the apache logs?????
Will
Apache is the SERVER, and is running on that machine and logs what browsers are requesting from it.
When a browser requests favicon.ico it gets logged as a request, whether the file is served or not.
Yes, I know! LOL I replied to a few messages that were saying the same thing you did. Like I said before my head was up my a&^ that day!!! Too much beer that day LOL And also, thanks for wacking me to set me straight! :) LOL
~WILL~
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
---------------------- SSHD End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /favicon.ico: 32 Time(s) /javascript/HM_Arrays.js: 1 Time(s) /javascript/HM_ScriptDOM.js: 1 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) ---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 3 Time(s)
This looks like you logging in and out three times.
kde-np: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 2 Time(s)
More, similar.
su: Sessions Opened: (uid=500) -> root: 3 Time(s)
You becoming root/
system-config-display:
Maybe you reconfigured your display?
Unknown Entries: auth could not identify password for [root]: 1 Time(s)---------------------- pam_unix End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 403 Forbidden /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
Some versions of awstats let the ungodly in. If you're not current you may have a problem,
404 Not Found /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s) /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s) /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)
this looks like php bb stuff, some versions of which let the ungodly in.
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /blog/xmlrpc.php: 2 Time(s) /blog/xmlsrv/xmlrpc.php: 2 Time(s) /blogs/xmlsrv/xmlrpc.php: 2 Time(s) /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /drupal/xmlrpc.php: 2 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s) /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /phpgroupware/xmlrpc.php: 2 Time(s)
One hopes you're in the rquisite lists for phpgroupware. I know it's big, you need to keep an eye out for problems and their fixes.
/wordpress/xmlrpc.php: 2 Time(s) /xmlrpc.php: 4 Time(s) /xmlrpc/xmlrpc.php: 2 Time(s) /xmlsrv/xmlrpc.php: 2 Time(s)---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session closed for user dotancohen: 2 Time(s) session opened for user dotancohen by (uid=0): 1 Time(s)
This looks to me like you logging out.
su: Sessions Opened: (uid=500) -> root: 3 Time(s)
this looks like you becoming root three times.
---------------------- pam_unix End -------------------------
These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!
Dotan Cohen http://technology-sleuth.com/index.php
Hmm.
%^
On 1/1/06, John Summerfied debian@herakles.homelinux.org wrote:
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
Do you mean that this is logged when the computer restarts? Because I have never restarted SSH.
---------------------- SSHD End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /favicon.ico: 32 Time(s) /javascript/HM_Arrays.js: 1 Time(s) /javascript/HM_ScriptDOM.js: 1 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) ---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 3 Time(s)
This looks like you logging in and out three times.
Should that concern me if I don' think that I had EVER logged out and then back in? This is a one-man box.
kde-np: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 2 Time(s)
More, similar.
su: Sessions Opened: (uid=500) -> root: 3 Time(s)
You becoming root/
system-config-display:
Maybe you reconfigured your display?
Nope. I'm glad that I don't need to!
Unknown Entries: auth could not identify password for [root]: 1 Time(s)---------------------- pam_unix End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 403 Forbidden /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s)
Some versions of awstats let the ungodly in. If you're not current you may have a problem,
At least here I feel safe- no third party php software on the system. Just my own home-brewed stuff. Assuming that is secure...
404 Not Found /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s) /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s) /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s)this looks like php bb stuff, some versions of which let the ungodly in.
/awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /blog/xmlrpc.php: 2 Time(s) /blog/xmlsrv/xmlrpc.php: 2 Time(s) /blogs/xmlsrv/xmlrpc.php: 2 Time(s) /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /drupal/xmlrpc.php: 2 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s) /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /phpgroupware/xmlrpc.php: 2 Time(s)One hopes you're in the rquisite lists for phpgroupware. I know it's big, you need to keep an eye out for problems and their fixes.
/wordpress/xmlrpc.php: 2 Time(s) /xmlrpc.php: 4 Time(s) /xmlrpc/xmlrpc.php: 2 Time(s) /xmlsrv/xmlrpc.php: 2 Time(s)---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session closed for user dotancohen: 2 Time(s) session opened for user dotancohen by (uid=0): 1 Time(s)
This looks to me like you logging out.
I don't do that. One man-box.
su: Sessions Opened: (uid=500) -> root: 3 Time(s)
this looks like you becoming root three times.
That is possible.
---------------------- pam_unix End -------------------------
These are the most suspicious. If anyone could crarify on them a bit, i would appreciate it. Thank you!
Dotan Cohen http://technology-sleuth.com/index.php
Hmm.
%^
Cheers John
Thanks. I do appreciate the explanations, and the time you invest.
Dotan Cohen http://technology-sleuth.com/question/what_is_a_cellphone.html \
On 1/1/06, John Summerfied debian@herakles.homelinux.org wrote:
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
Do you mean that this is logged when the computer restarts? Because I have never restarted SSH.
Yes, logged when computer restarts.
---------------------- SSHD End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /favicon.ico: 32 Time(s) /javascript/HM_Arrays.js: 1 Time(s) /javascript/HM_ScriptDOM.js: 1 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) ---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 3 Time(s)
This looks like you logging in and out three times.
Should that concern me if I don' think that I had EVER logged out and then back in? This is a one-man box.
If you've ever restarted the computer, then you've logged out.
Let me suggest some further research for you: Find on your computer, and learn, everything about logging and LogWatch. This command: $ ls /usr/share/doc/logwatch* will show you what onboard documentation there is for logwatch. Read those files. $ man logwatch will also be helpful, but probably only the part where it shows you which files are used for configuration.
/etc/syslog.conf is the file that controls what the computer logs and where. I would study that file. $ man syslog.conf is a pretty good place to start reading, also.
Useful ways to see exactly what is going on: If I want to find out what is causing this: session closed for user dotancohen then I would make note of the time, then log out, log back in, and, as root: # tail /var/log/messages You should see something similar to this: Jan 2 05:01:01 shemp crond(pam_unix)[7970]: session closed for user root Jan 2 06:01:01 shemp crond(pam_unix)[8219]: session opened for user root by (uid=0) Of course, I got this from my system, so your output will be different, but the point is that you can compare the time you logged out to the time of the log entry, and see what a simple logout or restart will generate in the logfiles.
Sorry to be so verbose, and also sorry to suggest reading so many boring man pages, but I think I've given you a good nudge in the right direction. :)
On Mon, 2006-01-02 at 07:21 -0600, Charles Howse wrote:
On 1/1/06, John Summerfied debian@herakles.homelinux.org wrote:
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
Do you mean that this is logged when the computer restarts? Because I have never restarted SSH.
Yes, logged when computer restarts.
---- No - I don't think so.
a yum update probably updated openssh and part of the the install script is to restart sshd
Craig
On Mon, 2006-01-02 at 07:21 -0600, Charles Howse wrote:
On 1/1/06, John Summerfied debian@herakles.homelinux.org wrote:
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
Do you mean that this is logged when the computer restarts? Because I have never restarted SSH.
Yes, logged when computer restarts.
No - I don't think so.
a yum update probably updated openssh and part of the the install script is to restart sshd
Thanks, Craig, I stand corrected. :-)
On Mon, 2006-01-02 at 07:14 -0700, Craig White wrote:
On Mon, 2006-01-02 at 07:21 -0600, Charles Howse wrote:
On 1/1/06, John Summerfied debian@herakles.homelinux.org wrote:
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
Do you mean that this is logged when the computer restarts? Because I have never restarted SSH.
Yes, logged when computer restarts.
No - I don't think so.
a yum update probably updated openssh and part of the the install script is to restart sshd
Craig
It most assuredly is logged with a reboot. I have systems that I reboot without an update involved and this gets logged _every_ time.
It also gets logged at other times as well (such as when the daemon gets restarted during an update).
On 1/2/06, Charles Howse chowse@charter.net wrote:
On 1/1/06, John Summerfied debian@herakles.homelinux.org wrote:
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------ kde-np: Unknown Entries: session opened for user dotancohen by (uid=0): 1 Time(s) ---------------------- pam_unix End -------------------------
--------------------- Smartd Begin ------------------------ **Unmatched Entries** smartd received signal 15: Terminated smartd is exiting (exit status 0) ---------------------- Smartd End -------------------------
--------------------- Selinux Audit Begin ------------------------ Number of audit daemon starts: 1 Number of audit daemon stops: 2 *** Logs which could mean a bug *** major=252 name_count=0: freeing multiple contexts (1) major=113 name_count=0: freeing multiple contexts (2) ---------------------- Selinux Audit End -------------------------
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
Normal restart stuff here and in some other places.
Do you mean that this is logged when the computer restarts? Because I have never restarted SSH.
Yes, logged when computer restarts.
---------------------- SSHD End -------------------------
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /favicon.ico: 32 Time(s) /javascript/HM_Arrays.js: 1 Time(s) /javascript/HM_ScriptDOM.js: 1 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) ---------------------- httpd End -------------------------
--------------------- pam_unix Begin ------------------------ kde: Unknown Entries: session closed for user dotancohen: 3 Time(s) session opened for user dotancohen by (uid=0): 3 Time(s)
This looks like you logging in and out three times.
Should that concern me if I don' think that I had EVER logged out and then back in? This is a one-man box.
If you've ever restarted the computer, then you've logged out.
Let me suggest some further research for you: Find on your computer, and learn, everything about logging and LogWatch. This command: $ ls /usr/share/doc/logwatch* will show you what onboard documentation there is for logwatch. Read those files. $ man logwatch will also be helpful, but probably only the part where it shows you which files are used for configuration.
/etc/syslog.conf is the file that controls what the computer logs and where. I would study that file. $ man syslog.conf is a pretty good place to start reading, also.
Useful ways to see exactly what is going on: If I want to find out what is causing this: session closed for user dotancohen then I would make note of the time, then log out, log back in, and, as root: # tail /var/log/messages You should see something similar to this: Jan 2 05:01:01 shemp crond(pam_unix)[7970]: session closed for user root Jan 2 06:01:01 shemp crond(pam_unix)[8219]: session opened for user root by (uid=0) Of course, I got this from my system, so your output will be different, but the point is that you can compare the time you logged out to the time of the log entry, and see what a simple logout or restart will generate in the logfiles.
Sorry to be so verbose, and also sorry to suggest reading so many boring man pages, but I think I've given you a good nudge in the right direction. :)
In other words, I should familiarize myself with the NORMAL log entries, so that I can pick out the abnormal ones. That is good advice- and that is what I will be doing more often. I only wish that I had the time to invest in this that it deserves. In any case, I do have the old logs to refer to, so that I can see that there are no log entries that look different from those that were before.
Thank you very, very much. I will be reading TFM a good deal this evening.
Dotan Cohen http://technology-sleuth.com/question/what_is_a_cellphone.html -+
[]
Thank you very, very much. I will be reading TFM a good deal this evening.
BTW, I keep getting an email from: AntiSpam UOL petsupermarket.sspam@uol.com.br Wanting me to verify that I am sending email to that address.
Dotan, would that be one of your addresses? It's no problem to just trash it, but I was just wondering.
On Mon, 2006-01-02 at 08:58 -0600, Charles Howse wrote:
Thank you very, very much. I will be reading TFM a good deal this evening.
BTW, I keep getting an email from: AntiSpam UOL petsupermarket.sspam@uol.com.br Wanting me to verify that I am sending email to that address.
Dotan, would that be one of your addresses? It's no problem to just trash it, but I was just wondering.
---- suggest that you stick this phrase into google
petsupermarket site:https://www.redhat.com/archives/fedora-list/
best to simply have a server based or mail program based filter send them to the giant bit bucket into the sky
Craig
On Mon, 2006-01-02 at 08:58 -0600, Charles Howse wrote:
Thank you very, very much. I will be reading TFM a good deal this evening.
BTW, I keep getting an email from: AntiSpam UOL petsupermarket.sspam@uol.com.br Wanting me to verify that I am sending email to that address.
Dotan, would that be one of your addresses? It's no problem to just trash it, but I was just wondering.
suggest that you stick this phrase into google
petsupermarket site:https://www.redhat.com/archives/fedora-list/
best to simply have a server based or mail program based filter send them to the giant bit bucket into the sky
Can do, thanks, that was the first time I had received those. BTW, are you available to do all my research for me? ;-)
On Mon, 2006-01-02 at 09:22 -0600, Charles Howse wrote:
On Mon, 2006-01-02 at 08:58 -0600, Charles Howse wrote:
Thank you very, very much. I will be reading TFM a good deal this evening.
BTW, I keep getting an email from: AntiSpam UOL petsupermarket.sspam@uol.com.br Wanting me to verify that I am sending email to that address.
Dotan, would that be one of your addresses? It's no problem to just trash it, but I was just wondering.
suggest that you stick this phrase into google
petsupermarket site:https://www.redhat.com/archives/fedora-list/
best to simply have a server based or mail program based filter send them to the giant bit bucket into the sky
Can do, thanks, that was the first time I had received those. BTW, are you available to do all my research for me? ;-)
---- how much are you offering?
;-)
Craig
Charles Howse wrote:
Thank you very, very much. I will be reading TFM a good deal this evening.
BTW, I keep getting an email from: AntiSpam UOL petsupermarket.sspam@uol.com.br Wanting me to verify that I am sending email to that address.
Dotan, would that be one of your addresses? It's no problem to just trash it, but I was just wondering.
It is safe to just delete the message..... I can't see why we can't fix this so users don't get bothered by this.
What happens.... (1) You send your e-mail to the list.... (2) The list gets the message and forwards a copy to all the subscribed members... (3) One, or more of the members (I'm hopping only one, if more you would be getting multiple for every single post).. has their e-mail handled by a domain/server practicing this type of anti-spam guard. The e-mail address in the reply to your post is not the subscribed person's e-mail address!
What you can do.... (1) If you run your own mail-server BAN all messages from this domain. (2) Delete the message. (3) Contact the domain administrator and notify them of the problem (there are thousands of people subscribed to this list probably) (4) Organize a mass invitation to flood the server with responses to every email posting.... (5) Ignore the message.
I wouldn't suggest #4 above without first trying all the others at least once.
James Kosin
Just for information...
I emailed AOL support about this when it first happened before I realised what the problem was. To my amazement, I received a reply back saying that AOL does not accept mail from hosts that report SPAM.
I use SPAMCOP and have a sent a few reports about valid SPAM from a few of their users.
I can't send email to any AOL uses using the domain that SPAMCOP gets report via.
Not that AOL has ever been on my favourites list, but they've gone on all of my black lists now.
Regards
Chris
-----Original Message----- From: fedora-list-bounces@redhat.com [mailto:fedora-list-bounces@redhat.com] On Behalf Of James Kosin Sent: Monday, January 02, 2006 3:16 PM To: For users of Fedora Core releases Subject: Re: Security question regarding root email
Charles Howse wrote:
Thank you very, very much. I will be reading TFM a good
deal this evening.
BTW, I keep getting an email from: AntiSpam UOL petsupermarket.sspam@uol.com.br Wanting me to verify that I am sending email to that address.
Dotan, would that be one of your addresses? It's no problem to just trash it, but I was just wondering.
It is safe to just delete the message..... I can't see why we can't fix this so users don't get bothered by this.
What happens.... (1) You send your e-mail to the list.... (2) The list gets the message and forwards a copy to all the subscribed members... (3) One, or more of the members (I'm hopping only one, if more you would be getting multiple for every single post).. has their e-mail handled by a domain/server practicing this type of anti-spam guard. The e-mail address in the reply to your post is not the subscribed person's e-mail address!
What you can do.... (1) If you run your own mail-server BAN all messages from this domain. (2) Delete the message. (3) Contact the domain administrator and notify them of the problem (there are thousands of people subscribed to this list probably) (4) Organize a mass invitation to flood the server with responses to every email posting.... (5) Ignore the message.
I wouldn't suggest #4 above without first trying all the others at least once.
James Kosin
-- Scanned by ClamAV - http://www.clamav.net
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
On 1/2/06, Charles Howse chowse@charter.net wrote:
Thank you very, very much. I will be reading TFM a good deal this evening.
BTW, I keep getting an email from: AntiSpam UOL petsupermarket.sspam@uol.com.br Wanting me to verify that I am sending email to that address.
Dotan, would that be one of your addresses? It's no problem to just trash it, but I was just wondering.
No, not mine, but I'd like to strange whoever's it is. I have written to the address several times explaining the problem he is causing, but never gotten any response. I beleive that others have too.
Dotan Cohen http://technology-sleuth.com/long_answer/what_are_the_advantages_of_lcd_moni... ^*=
Dotan Cohen:
--------------------- SSHD Begin ------------------------ SSHD Killed: 1 Time(s) SSHD Started: 1 Time(s)
John Summerfied:
Normal restart stuff here and in some other places.
Dotan Cohen:
Do you mean that this is logged when the computer restarts? Because I have never restarted SSH.
I used to see the same thing all the time on at least one box, where I don't have any reason to believe it'd been stopped and restarted (no manual restarts, no reboots, to SSHD related updates).
On Sun, 2006-01-01 at 15:37 +0200, Dotan Cohen wrote:
--------------------- httpd Begin ------------------------ Requests with error response codes 404 Not Found /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /favicon.ico: 32 Time(s) /javascript/HM_Arrays.js: 1 Time(s) /javascript/HM_ScriptDOM.js: 1 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) ---------------------- httpd End ------------------------- [...] --------------------- httpd Begin ------------------------ Requests with error response codes 403 Forbidden /cgi-bin/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /cgi-bin/awstats/awstats.pl?configdir=|ech ... cho%20YYY;echo|: 1 Time(s) 404 Not Found /Forums/admin/admin_styles.php?phpbb_root_ ... cho%20YYY;echo|: 1 Time(s) /Forums/admin/admin_styles.phpadmin_styles ... cho%20YYY;echo|: 1 Time(s) /admin_styles.phpadmin_styles.php?phpbb_ro ... cho%20YYY;echo|: 1 Time(s) /awstats/awstats.pl?configdir=|echo;echo%2 ... cho%20YYY;echo|: 1 Time(s) /blog/xmlrpc.php: 2 Time(s) /blog/xmlsrv/xmlrpc.php: 2 Time(s) /blogs/xmlsrv/xmlrpc.php: 2 Time(s) /cvs/index2.php?_REQUEST[option]=com_conte ... cho%20YYY;echo|: 1 Time(s) /cvs/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /drupal/xmlrpc.php: 2 Time(s) /mambo/index2.php?_REQUEST[option]=com_con ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.php?php ... cho%20YYY;echo|: 1 Time(s) /modules/Forums/admin/admin_styles.phpadmi ... cho%20YYY;echo|: 2 Time(s) /modules/coppermine/themes/default/theme.p ... cho%20YYY;echo|: 2 Time(s) /php/mambo/index2.php?_REQUEST[option]=com ... cho%20YYY;echo|: 1 Time(s) /phpgroupware/xmlrpc.php: 2 Time(s) /wordpress/xmlrpc.php: 2 Time(s) /xmlrpc.php: 4 Time(s) /xmlrpc/xmlrpc.php: 2 Time(s) /xmlsrv/xmlrpc.php: 2 Time(s) ---------------------- httpd End -------------------------
As I recall, these are attempts to hijack your server using a variant of the Luper worm that was going around a few months back. You seem to be running SELinux though, so you probably shouldn't be worried, as the default targeted and strict policies of Fedora Core 3 and 4 protect against it. :-)
On Sun, 2006-01-01 at 15:37 +0200, Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before
Something that I _always_ do after installing a new system is to edit /etc/aliases, then go to the end and create a real alias for root:
# Person who should get root's mail root: joeblow@email.com
Then run newaliases and reload the MTA (usually Postfix, sometimes Sendmail).
Perhaps the FC installer should ask the user at some point to redirect root's email to a real address? Hmmm, interesting. I'll raise the question on the -dev list.
On Sun, 2006-01-01 at 12:46 -0800, Florin Andrei wrote:
Hmmm, interesting. I'll raise the question on the -dev list.
An RFE has been opened against firstboot to let the operator choose an alias for root:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=176767
Florin Andrei:
Hmmm, interesting. I'll raise the question on the -dev list.
An RFE has been opened against firstboot to let the operator choose an alias for root:
Just looking at what's in there:
"It's probably best to let the operator enter an arbitrary email address instead of redirecting root to another account on the same system, since that account's email may or may not be read by a MUA"
For a lot of people, that'd require reconfiguring sendmail, and registering a real domain name. As they won't be able to post to any real internet e-mail address *from* root@localhost, etc.
There'd need to be some warning regarding how to deal with such an option (all that's involved).
On Mon, 2006-01-02 at 13:39 +1030, Tim wrote:
Just looking at what's in there:
"It's probably best to let the operator enter an arbitrary email address instead of redirecting root to another account on the same system, since that account's email may or may not be read by a MUA"
For a lot of people, that'd require reconfiguring sendmail, and registering a real domain name. As they won't be able to post to any real internet e-mail address *from* root@localhost, etc.
If the hostname is properly configured then it shouldn't be an issue.
But anyway, the more flexible the configuration, the better. It's probably best if the user can choose between forwarding to a local account or forwarding to an arbitrary email address.
Dotan Cohen wrote:
I haven't read root's email in about a month. Now that I get around to it, I am suprised to see things that I have never seen before, such as: --------------------- pam_unix Begin ------------------------
[snip]
If you've never seen these before, you may want to tweak your sendmail aliases file so root mail goes somewhere where you'll see it more often. :-)
#gedit /etc/aliases look towards the end of the file... there's a comment about setting an alias for root's mail. #newaliases
Note the newaliases command is needed to pick up changes.
I have procmail put those LogWatch reports in a separate folder and I look at it (almost) daily... if new things start showing up, I can easily refer to previous days... I've also used these reports to identify ip ranges of "annoying behavior" and then block them entirely... at my router... the bad traffic doesn't even get to my machine after that.
Don
-
Charles Howse -
Chris Wright -
CodeHeads -
Craig White -
Don Russell -
Dotan Cohen -
Florin Andrei -
James Kosin -
Jeff Vian -
John Summerfield -
Peter Gordon -
Tim