[Logwatch] TR : xinetd Logwatch

BALLO IsmaŽl iballo@afribone.net.ml
Fri, 4 Apr 2003 11:51:42 -0000


|
|Hi, I see log that I don't understand from LogWatch part secure-log: 
|
| Apr  3 06:47:57 sene xinetd[13223]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:08:09 sene xinetd[13322]: USERID: pop3 UNKNOWN : 
|hidden-user
|> Apr  3 07:10:56 sene xinetd[13341]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:14:31 sene xinetd[13363]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:14:58 sene xinetd[13364]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:14:58 sene xinetd[13365]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:15:53 sene xinetd[13368]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:16:21 sene xinetd[13369]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:18:22 sene xinetd[13370]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:26:21 sene xinetd[13405]: USERID: pop3 UNKNOWN : 
|hidden-user 
|> Apr  3 07:29:05 sene xinetd[13409]: USERID: pop3 UNKNOWN : 
|hidden-user  ....
|
|
|In the same time, after analysis, I see that these logs come 
|from pop connections from LAN where users are well 
|authenticated(10.0.1.1 is the firewall) and mailserver is in DMZ.
|
|What is wrong ? Why LogWatch does it tell that connections 
|originates from hidden-user ?
|
|var/log/maillog:22860:Apr  3 06:47:57 sene ipop3d[13223]: pop3 
|service init from 10.0.1.1
|/var/log/maillog:22861:Apr  3 06:47:57 sene ipop3d[13223]: 
|Login user=almaiga host=kalifa.ier.ml [10.0.1.1] nmsgs=0/0
|/var/log/maillog:22862:Apr  3 06:47:58 sene ipop3d[13223]: 
|Logout user=almaiga host=kalifa.ier.ml [10.0.1.1] nmsgs=0 ndele=0
|/var/log/maillog:22901:Apr  3 06:53:10 sene sendmail[13269]: 
|h336rAX13269: from=<aly.maiga@ier.ml>, size=2050, class=0, 
|nrcpts=1, msgid=<000c01c2f9ae$9d9f8c60$fd02000a@ier.lml>, 
|proto=SMTP, daemon=MTA, relay=hidden-user@kalifa.ier.ml 
|[10.0.1.1] (may be forged)
|/var/log/maillog:22927:Apr  3 07:08:09 sene ipop3d[13322]: 
|pop3 service init from 10.0.1.1
|/var/log/maillog:22928:Apr  3 07:08:09 sene ipop3d[13322]: 
|Auth user=dkebe host=kalifa.ier.ml [10.0.1.1] nmsgs=4/4
|/var/log/maillog:22929:Apr  3 07:08:10 sene ipop3d[13322]: 
|Logout user=dkebe host=kalifa.ier.ml [10.0.1.1] nmsgs=0 ndele=4
|/var/log/maillog:22933:Apr  3 07:10:21 sene sendmail[13332]: 
|h337ALX13332: from=<Demba.Kebe@ier.ml>, size=1882, class=0, 
|nrcpts=1, msgid=<3E8BC316.FA57EA91@ier.ml>, bodytype=8BITMIME, 
|proto=ESMTP, daemon=MTA, relay=hidden-user@kalifa.ier.ml 
|[10.0.1.1] (may be forged)
|/var/log/maillog:22938:Apr  3 07:10:56 sene ipop3d[13341]: 
|pop3 service init from 10.0.1.1
|/var/log/maillog:22939:Apr  3 07:10:56 sene ipop3d[13341]: 
|Auth user=ctelly host=kalifa.ier.ml [10.0.1.1] nmsgs=11/11
|