"Dan Keller" <[EMAIL PROTECTED]> wrote: > Attached below please see a message I received from > the log monitoring program on my RaQ2. I use > logcheck 1.1.1. > > I don't recall ever seeing a message with "ACTIVE > SYSTEM ATTACK!" in the subject line and wonder > if it might be bogus. What do you think?
LogSentry (logcheck's current name) messages with that subject are valid. That's just the subject LogSentry uses for matching records it considers the most severe. Of course, you can modify the 4 LogSentry files that control that behavior if you'd like. > Also, the log entry about which logcheck complains > looks harmless to me; is it? If I'm reading it right, > I believe that what it's reporting is a refusal to relay > Rumanian spam, not at all unusual; am I interpreting > this correctly? > > Thanks muchly for sage advice! > > Dan Keller > [EMAIL PROTECTED] > > >Date: Fri, 22 Nov 2002 04:01:18 -0800 > >From: Root <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: www.keller.com 11/22/02:04.01 ACTIVE SYSTEM ATTACK! > >X-Status: > >X-Keywords: > > > >Active System Attack Alerts > >=-=-=-=-=-=-=-=-=-=-=-=-=-= > >Nov 22 03:25:54 www sendmail[2360]: DAA02360: from=<[EMAIL PROTECTED]> That's because one of the LogSentry rules matches any log record containing the string "attack" and it appeared in an email address from someone who sent to a user on your server. So in this case the record can safely be ignored. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
