[Logwatch] TR : xinetd Logwatch

Marty Hoff martang@clearcommerce.com
Fri, 4 Apr 2003 09:17:58 -0600 (CST)


Those messages are in a different logfile than the maillog.  They are
probably coming from /var/log/secure.  Logwatch is not making these
messages up.  I think if you look in /var/log/secure, you will see these
log messages are really there.  As for why they are there, that is
something in the interaction between the pop3 daemon and xinetd and is
not in the perview of this list.  It really has nothing to do with
logwatch.

Marty

On Fri, 4 Apr 2003, BALLO IsmaŽl wrote:

>
> |
> |Hi, I see log that I don't understand from LogWatch part secure-log:
> |
> | Apr  3 06:47:57 sene xinetd[13223]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:08:09 sene xinetd[13322]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:10:56 sene xinetd[13341]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:14:31 sene xinetd[13363]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:14:58 sene xinetd[13364]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:14:58 sene xinetd[13365]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:15:53 sene xinetd[13368]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:16:21 sene xinetd[13369]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:18:22 sene xinetd[13370]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:26:21 sene xinetd[13405]: USERID: pop3 UNKNOWN :
> |hidden-user
> |> Apr  3 07:29:05 sene xinetd[13409]: USERID: pop3 UNKNOWN :
> |hidden-user  ....
> |
> |
> |In the same time, after analysis, I see that these logs come
> |from pop connections from LAN where users are well
> |authenticated(10.0.1.1 is the firewall) and mailserver is in DMZ.
> |
> |What is wrong ? Why LogWatch does it tell that connections
> |originates from hidden-user ?
> |
> |var/log/maillog:22860:Apr  3 06:47:57 sene ipop3d[13223]: pop3
> |service init from 10.0.1.1
> |/var/log/maillog:22861:Apr  3 06:47:57 sene ipop3d[13223]:
> |Login user=almaiga host=kalifa.ier.ml [10.0.1.1] nmsgs=0/0
> |/var/log/maillog:22862:Apr  3 06:47:58 sene ipop3d[13223]:
> |Logout user=almaiga host=kalifa.ier.ml [10.0.1.1] nmsgs=0 ndele=0
> |/var/log/maillog:22901:Apr  3 06:53:10 sene sendmail[13269]:
> |h336rAX13269: from=<aly.maiga@ier.ml>, size=2050, class=0,
> |nrcpts=1, msgid=<000c01c2f9ae$9d9f8c60$fd02000a@ier.lml>,
> |proto=SMTP, daemon=MTA, relay=hidden-user@kalifa.ier.ml
> |[10.0.1.1] (may be forged)
> |/var/log/maillog:22927:Apr  3 07:08:09 sene ipop3d[13322]:
> |pop3 service init from 10.0.1.1
> |/var/log/maillog:22928:Apr  3 07:08:09 sene ipop3d[13322]:
> |Auth user=dkebe host=kalifa.ier.ml [10.0.1.1] nmsgs=4/4
> |/var/log/maillog:22929:Apr  3 07:08:10 sene ipop3d[13322]:
> |Logout user=dkebe host=kalifa.ier.ml [10.0.1.1] nmsgs=0 ndele=4
> |/var/log/maillog:22933:Apr  3 07:10:21 sene sendmail[13332]:
> |h337ALX13332: from=<Demba.Kebe@ier.ml>, size=1882, class=0,
> |nrcpts=1, msgid=<3E8BC316.FA57EA91@ier.ml>, bodytype=8BITMIME,
> |proto=ESMTP, daemon=MTA, relay=hidden-user@kalifa.ier.ml
> |[10.0.1.1] (may be forged)
> |/var/log/maillog:22938:Apr  3 07:10:56 sene ipop3d[13341]:
> |pop3 service init from 10.0.1.1
> |/var/log/maillog:22939:Apr  3 07:10:56 sene ipop3d[13341]:
> |Auth user=ctelly host=kalifa.ier.ml [10.0.1.1] nmsgs=11/11
> |
>
> _______________________________________________
> Logwatch mailing list
> Logwatch@logwatch.org
> http://list.logwatch.org/lists/listinfo/logwatch
>

--------------------------------------------
Marty Hoff                   martang@clearcommerce.com
UNIX Administrator           ClearCommerce Corp.

Always remember you're unique, just like everyone else.