[Logwatch-Devel] LogWatch and sendmail

Paweł Gołaszewski blues@ds.pg.gda.pl
Wed, 12 Nov 2003 08:39:05 +0100 (CET)


I've got some entries on my machines that are not matched, but I think 
should....

 --------------------- pam_unix Begin ------------------------ 

[...]
sshd:
   Unknown Entries:
      2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=rav.some.domain  user=root: 1 Time(s)
   Sessions Opened:
      maf: 6 Time(s)
[...]

 ---------------------- pam_unix End ------------------------- 


samba filter does not catch many entries... Signal11 HAS to be...  it's
quite important ;)) (I had some memory problems...)
 --------------------- samba Begin ------------------------ 

[...]
**Unmatched Entries**
lib/fault.c:fault_report(38)  =============================================================== : 36 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12557 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12558 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12559 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12580 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12588 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12595 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12608 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12609 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12610 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12700 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12701 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12702 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12704 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12705 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12706 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12738 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12739 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 12740 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13261 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13262 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13263 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13268 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13269 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13270 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13408 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13409 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13410 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13487 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13488 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13489 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13490 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13492 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13493 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13504 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13505 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(39)  INTERNAL ERROR: Signal 11 in pid 13506 (2.2.8a)  Please read the file BUGS.txt in the distribution : 1 Time(s)
lib/fault.c:fault_report(41)  =============================================================== : 36 Time(s)
lib/util.c:smb_panic(1094)  PANIC: internal error : 36 Time(s)
lib/util_sock.c:get_socket_addr(1012)  getpeername failed. Error was Transport endpoint is not connected : 1 Time(s)
lib/util_sock.c:read_data(436)  read_data: read failure for 4. Error = Broken pipe : 2 Time(s)
lib/util_sock.c:send_smb(704)  Error writing 4 bytes to client. -1. (Broken pipe) : 1 Time(s)
lib/util_sock.c:write_socket(524)  write_socket: Error writing 4 bytes to socket 13: ERRNO = Broken pipe : 1 Time(s)
lib/util_sock.c:write_socket_data(499)  write_socket_data: write failure. Error = Broken pipe : 1 Time(s)
nmbd/nmbd_incomingdgrams.c:process_local_master_announce(314)  
process_local_master_announce: Server LOTEK at IP 1.1.2.2 is announcing itself as a local master browser for workgroup DS-6 and we think we are master. Forcing election. : 1 Time(s)
nmbd/nmbd_incomingdgrams.c:process_local_master_announce(314)  process_local_master_announce: Server TWOJBOG at IP 1.1.1.9 is announcing itself as a local master browser for workgroup DS-6 and we think we are master. Forcing election. : 71 Time(s)
smbd/password.c:pass_check_smb(552)  Account for user 'marcin' was disabled. : 43 Time(s)
smbd/password.c:pass_check_smb(552)  Account for user 'michal' was disabled. : 15 Time(s)
[...]

 ---------------------- samba End ------------------------- 


Some sendmail unmatched entries :) Important thing is Possible Attack....
 --------------------- sendmail Begin ------------------------ 

**Unmatched Entries**
   DSN: Can't create output: 333 Time(s)
   Authentication-Warning: mail.some.domain: kamyk set sender to <> using -f: 100 Time(s)
   grew WorkList for /var/spool/mqueue to 2000: 44 Time(s)
   safesasl(/var/lib/sasl/sasl.db) failed: Group readable file: 28 Time(s)
   ruleset=check_relay, arg1=mail1.adsaturation.com, arg2=63.239.178.199, relay=mail1.adsaturation.com [63.239.178.199], reject=553 5.3.0 550Spamers: 4 Time(s)
   hank-fep7-0.inet.fi [194.251.242.202] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 3 Time(s)
   hank-fep5-0.inet.fi [194.251.242.200] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 3 Time(s)
   Authentication-Warning: mail.some.domain: marosin set sender to  Mail Delivery Subsystem <MAILER-DAEMON@mail.some.domain> using -f: 2 Time(s)
   hank-fep1-0.inet.fi [194.251.242.196] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 2 Time(s)
   hank-fep3-0.inet.fi [194.251.242.198] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 2 Time(s)
   [212.70.34.66] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   POSSIBLE ATTACK from chello080109039152.1.14.univie.teleweb.at: newline in string "psvvadlcpp\r ": 1 Time(s)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   ruleset=check_relay, arg1=pcp525782pcs.nash01.tn.comcast.net, arg2=68.52.147.200, relay=pcp525782pcs.nash01.tn.comcast.net [68.52.147.200], reject=553 5.3.0 550Spamers: 1 Time(s)
   sls-ce12p7.dca2.superb.net [66.36.230.214] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   hA97956E009271: return to sender: Can't create output: 1 Time(s)
   ruleset=check_relay, arg1=pcp04562858pcs.scaptl01.dc.comcast.net, arg2=68.48.104.156, relay=devilman64@pcp04562858pcs.scaptl01.dc.comcast.net [68.48.104.156], reject=553 5.3.0 550Spamers: 1 Time(s)
   ruleset=check_relay, arg1=pcp02959936pcs.eatntn01.nj.comcast.net, arg2=68.36.62.120, relay=pcp02959936pcs.eatntn01.nj.comcast.net [68.36.62.120], reject=553 5.3.0 550Spamers: 1 Time(s)
   Authentication-Warning: mail.some.domain: marosin set sender to  Karolina <kalola@poczta.fm> using -f: 1 Time(s)
   ruleset=check_relay, arg1=c-67-170-37-77.client.comcast.net, arg2=67.170.37.77, relay=c-67-170-37-77.client.comcast.net [67.170.37.77], reject=553 5.3.0 550Spamers: 1 Time(s)
   hA9LTr6E006118: return to sender: Can't create output: 1 Time(s)
   ruleset=check_relay, arg1=c-67-165-100-140.client.comcast.net, arg2=67.165.100.140, relay=c-67-165-100-140.client.comcast.net [67.165.100.140], reject=553 5.3.0 550Spamers: 1 Time(s)
   cvg-65-27-227-108.cinci.rr.com [65.27.227.108] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   [68.117.66.19] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   hA9LFR6E004281: return to sender: Can't create output: 1 Time(s)
   ruleset=check_relay, arg1=66-168-69-239.wb.wi.charter.com, arg2=66.168.69.239, relay=hsnag2001o@66-168-69-239.wb.wi.charter.com [66.168.69.239], reject=553 5.3.0 550Spamers: 1 Time(s)
   [210.176.191.53] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   hA98YI6E011630: return to sender: Can't create output: 1 Time(s)
   [216.160.154.208] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   POSSIBLE ATTACK from cpe-66-189-100-60.ma.charter.com: newline in string "rimpanwakg\r ": 1 Time(s)
   a213-22-127-251.netcabo.pt [213.22.127.251] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   [66.41.245.64] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   ruleset=check_relay, arg1=pcp05290560pcs.wanarb01.mi.comcast.net, arg2=68.40.181.86, relay=pcp05290560pcs.wanarb01.mi.comcast.net [68.40.181.86], reject=553 5.3.0 550Spamers: 1 Time(s)
   Authentication-Warning: mail.some.domain: marosin set sender to  root@mail.some.domain (root) using -f: 1 Time(s)
   ruleset=check_relay, arg1=mta01ps.bigpond.com, arg2=144.135.25.155, relay=mta01ps.bigpond.com [144.135.25.155], reject=553 5.3.0 550Spamers: 1 Time(s)
   hA98oh6E012038: return to sender: Can't create output: 1 Time(s)
   ruleset=check_relay, arg1=bgp376711bgs.plnfld01.nj.comcast.net, arg2=68.36.0.246, relay=bgp376711bgs.plnfld01.nj.comcast.net [68.36.0.246], reject=553 5.3.0 550Spamers: 1 Time(s)
   [62.43.33.161] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   mx48.certny2.biz [216.17.82.48] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   alpha@[61.98.97.190] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   [61.99.206.174] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   [205.252.103.171] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   rejecting connections on daemon Daemon0: load average: 41: 1 Time(s)
   hank-fep6-0.inet.fi [194.251.242.201] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   ruleset=check_relay, arg1=c-67-173-31-230.client.comcast.net, arg2=67.173.31.230, relay=c-67-173-31-230.client.comcast.net [67.173.31.230], reject=553 5.3.0 550Spamers: 1 Time(s)
   61-56-177-224.e-lan.net.tw [61.56.177.224] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   [205.252.103.82] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   ruleset=check_relay, arg1=pcp01850024pcs.danbry01.ct.comcast.net, arg2=68.63.84.52, relay=pcp01850024pcs.danbry01.ct.comcast.net [68.63.84.52], reject=553 5.3.0 550Spamers: 1 Time(s)
   ruleset=check_relay, arg1=gizmo13ps.email.bigpond.com, arg2=144.140.71.23, relay=gizmo13ps.email.bigpond.com [144.140.71.23] (may be forged), reject=553 5.3.0 550Spamers: 1 Time(s)
   hA9ImK6E027525: return to sender: Can't create output: 1 Time(s)
   [218.242.5.169] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   POSSIBLE ATTACK from h68-145-226-216.cg.shawcable.net: newline in string "igavgymhdo\r ": 1 Time(s)
   hank-fep12-0.inet.fi [194.251.242.210] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   ruleset=check_relay, arg1=cpc3-nthc3-3-0-cust103.nrth.cable.ntl.com, arg2=80.4.54.103, relay=cpc3-nthc3-3-0-cust103.nrth.cable.ntl.com [80.4.54.103], reject=553 5.3.0 550Spamers: 1 Time(s)
   accepting connections again for daemon Daemon0: 1 Time(s)
   hA97el6E010113: return to sender: Can't create output: 1 Time(s)
   ruleset=check_relay, arg1=pcp01342416pcs.wilog401.pa.comcast.net, arg2=68.81.112.167, relay=pcp01342416pcs.wilog401.pa.comcast.net [68.81.112.167], reject=553 5.3.0 550Spamers: 1 Time(s)
   menilmontant-1-81-57-41-9.fbx.proxad.net [81.57.41.9] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   ruleset=check_relay, arg1=mailer43.smilepop.com, arg2=64.156.187.43, relay=mailer43.smilepop.com [64.156.187.43], reject=553 5.3.0 550Spamers: 1 Time(s)
   hank-fep9-0.inet.fi [194.251.242.204] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   [61.185.6.134] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   thalya@[61.98.97.190] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   adelita@[61.98.97.190] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   ruleset=check_relay, arg1=cpc3-leic3-3-0-cust21.nott.cable.ntl.com, arg2=81.96.132.21, relay=cpc3-leic3-3-0-cust21.nott.cable.ntl.com [81.96.132.21], reject=553 5.3.0 550Spamers: 1 Time(s)
   [202.28.52.132] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   ruleset=check_relay, arg1=pcp01067565pcs.rome01.tn.comcast.net, arg2=68.60.7.114, relay=pcp01067565pcs.rome01.tn.comcast.net [68.60.7.114], reject=553 5.3.0 550Spamers: 1 Time(s)
   [61.99.14.218] did not issue MAIL/EXPN/VRFY/ETRN during connection to Daemon0: 1 Time(s)
   hA9H8I6E019828: return to sender: Can't create output: 1 Time(s)
   POSSIBLE ATTACK from 0x50c62ef2.kjnxx2.adsl-dhcp.tele.dk: newline in string "jmintwivus\r ": 1 Time(s)
   ruleset=check_relay, arg1=c-67-167-91-9.client.comcast.net, arg2=67.167.91.9, relay=c-67-167-91-9.client.comcast.net [67.167.91.9], reject=553 5.3.0 550Spamers: 1 Time(s)
   Authentication-Warning: mail.some.domain: marosin set sender to  Mane <mane1@wp.pl> using -f: 1 Time(s)

 ---------------------- sendmail End ------------------------- 


This one is interesting, especially first one.
 --------------------- SSHD Begin ------------------------ 

**Unmatched Entries**
fatal: buffer_get: trying to get more bytes 4 than in buffer 0
Failed keyboard-interactive for root from ::ffff:1.1.1.1 port 58448 ssh2
Cannot release PAM authentication[4]: System error
Failed password for maks from ::ffff:2.2.2.5 port 1728
Failed password for tonek from ::ffff:1.9.2.2 port 54775

 ---------------------- SSHD End ------------------------- 


On another machine I get:

 --------------------- httpd Begin ------------------------

Use of uninitialized value in pattern match (m//) at /usr/share/logwatch/scripts/services/http line 160, <STDIN> line 566.

---------------------- httpd End -------------------------
but... I wasn't able to reproduce it :(
On another machine I get in http filter:
Use of uninitialized value in hash element at /usr/share/logwatch/scripts/services/http line 192, <STDIN> line 24082.
Use of uninitialized value in hash element at /usr/share/logwatch/scripts/services/http line 192, <STDIN> line 24088.


-- 
pozdr.  Paweł Gołaszewski 
---------------------------------
worth to see: http://www.againsttcpa.com/
CPU not found - software emulation...