On Wednesday 05 December 2001 10:25 am, Forrest wrote:
> This is not from tripwire. The original message had this
> line: X-Mailer: /usr/lib/mon/alert.d/mail.alert
> Try rpm -q --whatprovides /usr/lib/mon/alert.d/mail.alert
> o see if it is an rpm package. Otherwise, do you
> remember installing some program like this?
I don't recall...
> Your original post also had this:
> localhost: problem connecting to "localhost", port 23:
> Connection refused
> Which tells me that something was telnetting to localhost
> (i.e. not from the outside). If you or any other users
> of that system are not telnetting to localhost, I would
> say that it must be some program. Try looking in
> /usr/lib/mon/alert.d/ and see what you can find.
I looked: there are a handful of PERL files:
alert.template mail.alert qpage.alert snpp.alert trap.alert
file.alert netpage.alert remote.alert test.alert
I did the rpm --whatprovides, and found: mon-0.38.18-13.
"man mon" gives this:
=====
mon(1) Parallel Service Monitoring Daemon
NAME
mon - monitor services for availability, sending
alarms upon failures.
=====
Well now! This explains a lot! LOL!
<sigh!> I don't know how this got in there; perhaps it was
when I was installing games from the RH7.1 "PowerTools" CD!
(Funny thing, I never actually find time to PLAY the games;
i just wanted to see how good they were...I still haven't
even checked them out!)
I am not sure of the value of such a program as "mon"
anyhow; since, after all, I really DON'T want to have
telnet available! There's probably a way to tell it not to
check for the telnet port availability; however you should
see some of the OTHER weird notices I get! They are very
long; which is why I haven't posted them on the list.
Besides the headers in the mail, there are 68 lines of
either "Security Violations", or "Unusual System Events".
And example of the former is:
3 Dec 4 16:01:59 CX9465-a mon[1195]: failure for servers
http 1007510519 localhost
And the other type's example would be:
37 Dec 4 16:01:59 CX9465-a mon[1195]: failure for servers
http 1007510519 localhost
Not a lot of difference, huh? I don't get that part at
all...
And the thing is, I get dozens of mails for root, just like
this, every day! I just checked, and there are 42 listed
right now!
It seems to be monitoring for UNAVAILABLE services...is
there an easy way to make it do the inverse? And let me
know if, for instance, the telnet port suddenly opened up
for no reason? THAT might be useful! <g!>
Anyway, I want to turn it off, but in looking at the "man
mon" page I don't see a way to do that. It seems harder to
make things stop, than it does to make things go. Dang...
Any advice would be appreciated.
TIA,
--Mark VII
[EMAIL PROTECTED]
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
