[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Mysterious entries in daemon log, mail.log; should I worry?

While looking for something else, I stumbled over these log entries that I don't understand. No other users were connected at the time, and no user has ever used these services. This box should not run the identd, imapd, or in.qpopper services! I've removed them now just to be sure. How could these entries have been created? I have never seen entries for these services in any log in /var/log. 

zgrepping /var/log/* for these services found no other instances.
Could this have been a rogue web page javascript attack? Can someone help me understand what may have happened? Should I be concerned? It does look like nothing actually completed successfully. 

Linux spike 2.4.25-1-686 #3 Wed Apr 14 21:56:44 EST 2004 i686 GNU/Linux
~$ cat /etc/debian_version
testing/unstable

Thanks!

Ralph

/var/log/daemon.log
Jun 25 14:47:35 spike in.qpopper[3690]: warning: can't get client address: Connection reset by peer Jun 25 14:47:35 spike imapd[3692]: warning: can't get client address: Connection reset by peer Jun 25 14:47:35 spike imapd[3694]: warning: can't get client address: Connection reset by peer 
Jun 25 14:47:35 spike identd[3693]: started
Jun 25 14:47:35 spike identd[3693]: s_getpeername(10): Transport endpoint is not connected 
Jun 25 14:47:35 spike imapd[3692]: connect from unknown
Jun 25 14:47:35 spike in.qpopper[3690]: connect from unknown
Jun 25 14:47:35 spike imapd[3694]: connect from unknown
Jun 25 15:24:11 spike imapd[3738]: warning: can't get client address: Connection reset by peer 
Jun 25 15:24:11 spike imapd[3738]: connect from unknown
Jun 25 15:24:11 spike in.qpopper[3741]: warning: can't get client address: Connection reset by peer 
Jun 25 15:24:11 spike in.qpopper[3741]: connect from unknown
Jun 25 15:24:11 spike imapd[3743]: warning: can't get client address: Connection reset by peer 
Jun 25 15:24:11 spike imapd[3743]: connect from unknown
Jun 25 15:24:11 spike identd[3742]: started
Jun 25 15:24:11 spike identd[3742]: s_getpeername(10): Transport endpoint is not connected 
Jun 25 15:24:13 spike imapd[3754]: connect from 127.0.0.1
Jun 25 15:24:13 spike imapd[3755]: connect from 127.0.0.1
Jun 25 15:24:13 spike in.qpopper[3756]: connect from 127.0.0.1
Jun 25 15:24:18 spike fam[3740]: fd 4 message length 218762506 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1195725856 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1330664521 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1330664521 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length -2147483608 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1966086 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 786432 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1212501072 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 369295360 bytes exceeds max of 4136. 
Jun 25 15:24:18 spike fam[3740]: bad message (no request id)
Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1811942144 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 23356774 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 806093313 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1414417744 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 50331659 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 1148019796 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 973078528 bytes exceeds max of 4136. Jun 25 15:24:18 spike fam[3740]: fd 4 message length 16777469 bytes exceeds max of 4136. 
Jun 25 15:24:18 spike imapd[3760]: connect from 127.0.0.1
Jun 25 15:24:23 spike imapd[3762]: connect from 127.0.0.1
Jun 25 15:24:23 spike imapd[3763]: connect from 127.0.0.1
Jun 25 15:24:23 spike imapd[3764]: connect from 127.0.0.1
Jun 25 15:24:23 spike imapd[3765]: connect from 127.0.0.1
Jun 25 15:24:23 spike imapd[3766]: connect from 127.0.0.1
Jun 25 15:24:23 spike imapd[3767]: connect from 127.0.0.1
Jun 25 15:24:28 spike imapd[3769]: connect from 127.0.0.1
Jun 25 15:24:28 spike imapd[3770]: connect from 127.0.0.1

/var/log/mail.log
Jun 25 14:47:36 spike in.qpopper[3690]: Unable to obtain socket and address of client: Transport endpoint is not connected (107) [pop_init.c:1062] 
Jun 25 14:47:36 spike imapd[3692]: imaps SSL service init from UNKNOWN
Jun 25 14:47:36 spike imapd[3694]: imap service init from UNKNOWN
Jun 25 14:47:36 spike imapd[3692]: Command stream end of file, while reading line user=??? host=UNKNOWN 
Jun 25 15:24:11 spike imapd[3738]: imaps SSL service init from UNKNOWN
Jun 25 15:24:11 spike imapd[3743]: imap service init from UNKNOWN
Jun 25 15:24:11 spike in.qpopper[3741]: Unable to obtain socket and address of client: Transport endpoint is not connected (107) [pop_init.c:1062] Jun 25 15:24:12 spike imapd[3738]: Command stream end of file, while reading line user=??? host=UNKNOWN 
Jun 25 15:24:13 spike imapd[3754]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:13 spike imapd[3755]: imap service init from 127.0.0.1
Jun 25 15:24:13 spike in.qpopper[3756]: (null) at spike (127.0.0.1): -ERR POP EOF or I/O Error [popper.c:820] Jun 25 15:24:13 spike in.qpopper[3756]: I/O error flushing output to client at spike [127.0.0.1]: Broken pipe (32) [pop_send.c:689] Jun 25 15:24:13 spike imapd[3755]: Command stream end of file, while reading line user=??? host=spike [127.0.0.1] Jun 25 15:24:18 spike imapd[3754]: Unable to accept SSL connection, host=spike [127.0.0.1] Jun 25 15:24:18 spike imapd[3754]: SSL error status: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request 
Jun 25 15:24:18 spike imapd[3760]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:23 spike imapd[3762]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:23 spike imapd[3762]: Unable to accept SSL connection, host=spike [127.0.0.1] Jun 25 15:24:23 spike imapd[3760]: Command stream end of file, while reading line user=??? host=spike [127.0.0.1] Jun 25 15:24:23 spike imapd[3762]: SSL error status: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
Jun 25 15:24:23 spike imapd[3763]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:23 spike imapd[3763]: Unable to accept SSL connection, host=spike [127.0.0.1] Jun 25 15:24:23 spike imapd[3763]: SSL error status: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
Jun 25 15:24:23 spike imapd[3764]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:23 spike imapd[3764]: Unable to accept SSL connection, host=spike [127.0.0.1] Jun 25 15:24:23 spike imapd[3764]: SSL error status: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
Jun 25 15:24:23 spike imapd[3765]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:23 spike imapd[3765]: Unable to accept SSL connection, host=spike [127.0.0.1] Jun 25 15:24:23 spike imapd[3765]: SSL error status: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
Jun 25 15:24:23 spike imapd[3766]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:23 spike imapd[3766]: Unable to accept SSL connection, host=spike [127.0.0.1] Jun 25 15:24:23 spike imapd[3766]: SSL error status: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol 
Jun 25 15:24:23 spike imapd[3767]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:28 spike imapd[3769]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:28 spike imapd[3767]: Command stream end of file, while reading line user=??? host=spike [127.0.0.1] Jun 25 15:24:28 spike imapd[3769]: Command stream end of file, while reading line user=??? host=spike [127.0.0.1] 
Jun 25 15:24:28 spike imapd[3770]: imaps SSL service init from 127.0.0.1
Jun 25 15:24:28 spike imapd[3770]: Command stream end of file, while reading line user=??? host=UNKNOWN
Reply to: