[Logwatch] xinetd Logwatch

BALLO IsmaŽl iballo@afribone.net.ml
Fri, 4 Apr 2003 11:49:20 -0000


Hi, I see log that I don't understand from LogWatch part secure-log: 

 Apr  3 06:47:57 sene xinetd[13223]: USERID: pop3 UNKNOWN : hidden-user 
> Apr  3 07:08:09 sene xinetd[13322]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:10:56 sene xinetd[13341]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:14:31 sene xinetd[13363]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:14:58 sene xinetd[13364]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:14:58 sene xinetd[13365]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:15:53 sene xinetd[13368]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:16:21 sene xinetd[13369]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:18:22 sene xinetd[13370]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:26:21 sene xinetd[13405]: USERID: pop3 UNKNOWN : hidden-user

> Apr  3 07:29:05 sene xinetd[13409]: USERID: pop3 UNKNOWN : hidden-user
....


In the same time, after analysis, I see that these logs come from pop
connections from LAN where users are well authenticated(10.0.1.1 is the
firewall) and mailserver is in DMZ.

What is wrong ? Why LogWatch does it tell that connections originates
from hidden-user ?

var/log/maillog:22860:Apr  3 06:47:57 sene ipop3d[13223]: pop3 service
init from 10.0.1.1
/var/log/maillog:22861:Apr  3 06:47:57 sene ipop3d[13223]: Login
user=almaiga host=kalifa.ier.ml [10.0.1.1] nmsgs=0/0
/var/log/maillog:22862:Apr  3 06:47:58 sene ipop3d[13223]: Logout
user=almaiga host=kalifa.ier.ml [10.0.1.1] nmsgs=0 ndele=0
/var/log/maillog:22901:Apr  3 06:53:10 sene sendmail[13269]:
h336rAX13269: from=<aly.maiga@ier.ml>, size=2050, class=0, nrcpts=1,
msgid=<000c01c2f9ae$9d9f8c60$fd02000a@ier.lml>, proto=SMTP, daemon=MTA,
relay=hidden-user@kalifa.ier.ml [10.0.1.1] (may be forged)
/var/log/maillog:22927:Apr  3 07:08:09 sene ipop3d[13322]: pop3 service
init from 10.0.1.1
/var/log/maillog:22928:Apr  3 07:08:09 sene ipop3d[13322]: Auth
user=dkebe host=kalifa.ier.ml [10.0.1.1] nmsgs=4/4
/var/log/maillog:22929:Apr  3 07:08:10 sene ipop3d[13322]: Logout
user=dkebe host=kalifa.ier.ml [10.0.1.1] nmsgs=0 ndele=4
/var/log/maillog:22933:Apr  3 07:10:21 sene sendmail[13332]:
h337ALX13332: from=<Demba.Kebe@ier.ml>, size=1882, class=0, nrcpts=1,
msgid=<3E8BC316.FA57EA91@ier.ml>, bodytype=8BITMIME, proto=ESMTP,
daemon=MTA, relay=hidden-user@kalifa.ier.ml [10.0.1.1] (may be forged)
/var/log/maillog:22938:Apr  3 07:10:56 sene ipop3d[13341]: pop3 service
init from 10.0.1.1
/var/log/maillog:22939:Apr  3 07:10:56 sene ipop3d[13341]: Auth
user=ctelly host=kalifa.ier.ml [10.0.1.1] nmsgs=11/11