[IMGate] Re: confusing stats

Mon, 13 Jan 2003 10:35:06 -0800 

> I have been confused by an entry in my daily stats. Each and every day
shows
> the same number of connections from on of MY boxes, 63.237.136.17. This
box
> is used for my customers personal websites. Yet every day for over a month
> the box makes exactly 287 connections to my Imgate box. Below is a snippet
> from my logs grepping for a stmpd process associated with that IP address.
> Any thoughts.

Len already mentioned a cracked machine.  That is one possibility.

Some form or application that is an open relay is another.

> Host/Domain Summary: SMTPD Connections (top 25)
>  connections  time conn.  avg./conn.  max. time  host/domain
>  -----------  ----------  ----------  ---------  -----------
>       287        0:00:22          0s         1s   63.237.136.17

Was the below the whole log snippet?

There is very little from 63.237.136.17 in this log fragment.  So little
that this looks like a probe.

A probe lends to sweeping software that looks for open ports.  That could be
some active defense program that is supposed to report open ports.  It can
also be a cracked machine looking for others to crack.

I would start here if it is a POSIX box:
http://www.chkrootkit.org/

> Jan 12 09:59:02 imgate1 postfix/smtpd[13987]: reject: RCPT from
> ool-18ba8004.dyn.optonline.net[24
> .186.128.4]: 554 <[EMAIL PROTECTED]>: Relay access denied;
> from=<[EMAIL PROTECTED]> to=<tmr2@fron
> tiernet.net>
> Jan 12 09:59:07 imgate1 postfix/smtpd[13987]: disconnect from
> ool-18ba8004.dyn.optonline.net[24.1
> 86.128.4]
> Jan 12 09:59:16 imgate1 postfix/smtpd[13987]: connect from
> unknown[209.10.194.5]
> Jan 12 09:59:20 imgate1 postfix/smtpd[13987]: lost connection after
CONNECT
> from unknown[209.10.1
> 94.5]
> Jan 12 09:59:20 imgate1 postfix/smtpd[13987]: disconnect from
> unknown[209.10.194.5]
> Jan 12 09:59:30 imgate1 postfix/smtpd[13987]: connect from
> unknown[63.237.136.17]
> Jan 12 09:59:30 imgate1 postfix/smtpd[13987]: disconnect from
> unknown[63.237.136.17]
> Jan 12 09:59:45 imgate1 postfix/smtpd[13987]: connect from
> unknown[66.230.213.120]
> Jan 12 09:59:45 imgate1 postfix/smtpd[13987]: 8FC0CAF07:
> client=unknown[66.230.213.120]
> Jan 12 09:59:45 imgate1 postfix/smtpd[13987]: reject: RCPT from
> unknown[66.230.213.120]: 554 <chi
> [EMAIL PROTECTED]>: Recipient address rejected: ACL to_recipients_bad;
> from=<1042355821-chipmunk=c
> [EMAIL PROTECTED]> to=<[EMAIL PROTECTED]>
>
>
>

Reply via email to