On Sun, 2003-02-23 at 19:39, Thomas E. Dukes wrote: > On Sun, 2003-02-23 at 20:24, Michael Fratoni wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Sunday 23 February 2003 08:00 pm, Thomas E. Dukes wrote: > > > I was looking at /var/log/messages and saw this. This is just a very > > > short snippet of the log file. What the heck is this about? > > > > > > TIA > > > > > > Feb 23 16:39:07 localhost last message repeated 325960 times > > > Feb 23 16:40:08 localhost last message repeated 319264 times > > > > Something stuck in a serious loop at about 5000 instances/second, I'd > > guess. The important log entries would be from just before this appeared. > > What's the output of > > 'grep "Feb 23 16:3" /var/log/*' ? > > Feb 23 16:23:53 localhost last message repeated 326713 times > Feb 23 16:24:07 localhost last message repeated 70915 times > Feb 23 16:24:07 localhost samba(pam_unix)[1666]: session opened for user > edukes by (uid=0) > Feb 23 16:24:07 localhost portsentry[983]: attackalert: Possible stealth > scan from unknown host to TCP port: 111 (accept failed) > Feb 23 16:24:37 localhost last message repeated 160240 times > Feb 23 16:25:38 localhost last message repeated 316834 times > Feb 23 16:26:24 localhost last message repeated 236839 times
did you stop portsentry? The executable looks to still be in memory if you uninstalled the package. Someone is hammering your portmapper port that is used for some things including nfs that are not normally considered secre enough to be run on an Internet connected computer. Chances are you are not using it or portsentry would not be listening on 111. I don't know what a possible stealth scan means other than apparently an IP address cannot be identified or it would appear in the log entry as well. I suppose it could be a misconfigured service and you are doing it to yourself. do you have an nfs mounted partition somewhere? FWIW portsentry would not be seeing these packets if the firewall blocked them. What do your FW rules look like? Bret -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
