Attempt on smtpd / faking remote ip
Hi folks,
today I got some strange messages in the log files. It's a quite
usual woody box (apache, some (about 15) POP accounts, no smtp
relaying, no ftp accounts, nothing exciting) with postfix install
from .deb-package.
###################### snip #####################
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection
after CONNECT from localhost[127.0.0.1]
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection
after CONNECT from localhost[127.0.0.1]
Apr 4 07:11:15 [myhostname] sshd[11733]: Did not receive
identification string from 213.39.138.95
Apr 4 07:11:15 [myhostname] postfix/smtpd[11734]: lost connection
after CONNECT from localhost[127.0.0.1]
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection
after CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection
after CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
Apr 4 07:11:21 [myhostname] sshd[11735]: Did not receive
identification string from 213.39.138.95
Apr 4 07:11:21 [myhostname] postfix/smtpd[11734]: lost connection
after CONNECT from c138095.adsl.hansenet.de[213.39.138.95]
###################### snip #####################
(The "[myhostname]" entries are replacements made by me here for
privacy reasons. There originally was the real hostname.)
Who the hell may connect from localhost and lose connection but a local user?
But, there is no (shouldn't be) any local user.
Is it possible to fake smtpd about the client's ip? I think, the guy
from 213.39.138.95 is the same as the one in the first few lines, and
he/she isn't real from localhost (I hope so), but fakes smtpd to
think so. Am I right?
Or do I have to worry about some rootkit or anything similar?
Thanks in advance!
Andreas
--
procommerz - Internet fuer Unternehmen
http://www.procommerz.de | 033925-90710
Stoppt TCPA, das Zensursystem von Microsoft! | http://www.againsttcpa.com
Reply to: