-------- Tigerrc exhibit ------------- # # 'rc' file for tiger. This file is preprocessed, and thus # can *only* contain variable assignments. # # # TAMU version # # Note: This disables many of the checks. You should not use this. # The checks enabled here are the ones we definitely want done # but all of them should be done. # #------------------------------------------------------------------------ # # Select checks to perform. Specify 'N' (uppercase) for checks # you don't want performed. # Tiger_Check_PASSWD=Y # Fast Tiger_Check_GROUP=Y # Fast Tiger_Check_ACCOUNTS=Y # Time varies on # of users Tiger_Check_RHOSTS=Y # Time varies on # of users Tiger_Check_NETRC=Y # Time varies on # of users Tiger_Check_ALIASES=Y # Fast Tiger_Check_CRON=Y # Fast Tiger_Check_ANONFTP=Y # Fast Tiger_Check_EXPORTS=Y # Fast Tiger_Check_INETD=Y # Could be faster, not bad though Tiger_Check_KNOWN=Y # Fast Tiger_Check_PERMS=Y # Could be faster, not bad though Tiger_Check_SIGNATURES=Y # Several minutes Tiger_Check_FILESYSTEM=Y # Time varies on disk space... can be hours Tiger_Check_PATH=Y # Fast for just root... varies for all Tiger_Check_EMBEDDED=Y # Several minutes # # Should messages tagged with INFO be shown? # Tiger_Show_INFO_Msgs=Y # # In order for this to be effective, you must set 'CRACK' in a # 'site' config file. # Tiger_Run_CRACK=Y # First time, ages; subsequent fairly quick # # Line size (for formatting of output)... default is 79... # Specifying '0' means unlimited # Tiger_Output_Width=79 # # Same as above, except used when run via 'tigercron'... # You should set this once and never change it, 'cause if you # change it, you'll get lots and lots of new stuff according # to the scripts (the diff's against previous reports will find # lots of changes due to the formatting changes). # Tiger_CRON_Output_Width=0 # # If an embedded pathname refers to an executable file, this executable # will in turn be checked. This will continue "recursively" until # either no new executables are found, or a maximum reference depth # is reached. Setting this variable to 0 is equivalent to infinity. # On a Sun 4/490, SunOS 4.1.2, 6GB disk, an infinite depth check # took about 30 minutes. Your milage will vary. # # On small memory systems, a large search depth can result in out # of memory situations for 'sort'... :-(... # Tiger_Embed_Max_Depth=3 # # Only search executables for embedded pathnames. If this is # set to 'N', then all regular files will be searched. Otherwise # only executable files will be searched. # Tiger_Embed_Check_Exec_Only=Y # # Check all setuid executables found. This will cause 'tiger' # to run longer on many systems, as it will have to wait for the # file system scans to complete before it can begin checking the # embedded pathnames. # Tiger_Embed_Check_SUID=Y # # Only report executables which are writable or not owned by root. If set # to 'Y' only the executables will be reported. Any other value will result # in regular files and directories being reported as well. # # Note that currently, device files are never reported. # Tiger_Embed_Report_Exec_Only=Y # # Who do you allow to own system files. # List of usernames separated by '|'... no whitespace # Tiger_Embedded_OK_Owners='root|bin|uucp|sys|daemon' #Tiger_Embedded_OK_Owners=root # # What groups can have write access to system files? # List of group names separated by '|'... no whitespace. # No value means no groups should have write access. # Tiger_Embedded_OK_Group_Write='root|bin|uucp|sys|daemon' # # Should all users' PATH variables be checked. This has the potential # of being dangerous because of the way it is done. You might want to # take a look at check_path and decide for yourself whether the precautions # are sufficient before enabling this. # Tiger_Check_PATHALL=Y # Check all user PATHs in startup files. # # Who can own executables in 'root's PATH? # List of usernames separated by '|'... no whitespace # Tiger_ROOT_PATH_OK_Owners='root|uucp|bin|sys|daemon' #Tiger_ROOT_PATH_OK_Owners='root' # # What groups can have write access to executables in 'root's PATH? # List of group names separated by '|'... no whitespace. # No value means no groups should have write access. # Tiger_ROOT_PATH_OK_Group_Write='root|uucp|bin|sys|daemon' # # Who can own things in other users PATH? # List of usernames separated by '|'... no whitespace # Tiger_PATH_OK_Owners='root|bin|uucp|sys|daemon' # # What groups can have write access to executables in non-root user PATH? # List of group names separated by '|'... no whitespace. # No value means no groups should have write access. # Tiger_PATH_OK_Group_Write= # # Should 'tiger' wait for Crack to finish? If set to 'Y' it will wait # until it finishes. If set to 'N', it will collect the output if # Crack finishes before the rest of the checks. If it isn't finished # 'tiger' will simply report where the output will be stored. # Tiger_Collect_CRACK=Y # # Run Crack on local password sources only? If set to Y, no network # sources will be used. If set to 'N', NIS, NIS+, NetInfo, etc # sources will also be used. # Tiger_Crack_Local=Y # # Who gets output from 'tigercron'? # Tiger_Mail_RCPT=root # # List of '/' separated filename globs (NOT pathnames) to look for # on the filesystems. # Tiger_Files_of_Note="..[!.]*/.* */.* */.[!.]/.log/.FSP*" # # File system scan - things to look for # Tiger_FSScan_Setuid=Y # Setuid executables Tiger_FSScan_Devs=Y # device files Tiger_FSScan_SymLinks=Y # strange symbolic links Tiger_FSScan_ofNote=Y # wierd filenames Tiger_FSScan_WDIR=Y # world writable directories Tiger_FSScan_Unowned=Y # files with undefined owners/group # # Should we scan read-only filesystems # Tiger_FSScan_ReadOnly=N # # List of dot files commonly found in user home directories. These # will be checked by check_accounts for proper access permissions. # # Note that .rhosts and .netrc need not appear here, as they will # be checked by scan_rhosts or scan_netrc. # USERDOTFILES=".cshrc .profile .login .mailrc .exrc .emacs .forward .tcshrc .zshenv .zshrc .zlogin .zprofile .rcrc .bashrc .bash_profile .inputrc .xinitrc" # # Rhost sites which are expected to be in the .rhosts files. # Anything that doesn't match will be reported. The patterns # are simple patterns as used in Bourne Shell 'case' statement. # #RHOST_SITES='*.tamu.edu|jupiter' -------- end exhibit ---------- -------- Tiger Output exhibit --------- Security scripts *** 2.2.3, 1994.0309.2038 *** Wed Mar 1 11:13:10 PHT 2000 11:13> Beginning security report for wen (i686 Linux 2.2.13). # Performing check of passwd files... # Performing check of group files... # Performing check of user accounts... # Checking accounts from /etc/passwd. --WARN-- [acc001w] Login ID at is disabled, but still has a valid shell (/bin/bash). --WARN-- [acc001w] Login ID bin is disabled, but still has a valid shell (/bin/bash). --WARN-- [acc001w] Login ID daemon is disabled, but still has a valid shell (/bin/bash). --WARN-- [acc001w] Login ID ftp is disabled, but still has a valid shell (/bin/bash). --WARN-- [acc001w] Login ID games is disabled, but still has a valid shell (/bin/bash). --WARN-- [acc001w] Login ID nobody is disabled, but still has a valid shell (/bin/bash). --WARN-- [acc001w] Login ID uucp is disabled, but still has a valid shell (/bin/bash). --WARN-- [acc006w] Login ID games's home directory (/tmp) has group `root' and world write access. --WARN-- [acc006w] Login ID nobody's home directory (/tmp) has group `root' and world write access. # Performing check of /etc/hosts.equiv and .rhosts files... --WARN-- [rcmd013w] /etc/hosts.equiv contains an attempted comment line --WARN-- [rcmd013w] /etc/hosts.equiv contains an attempted comment line --WARN-- [rcmd013w] /etc/hosts.equiv contains an attempted comment line --WARN-- [rcmd013w] /etc/hosts.equiv contains an attempted comment line --WARN-- [rcmd013w] /etc/hosts.equiv contains an attempted comment line --WARN-- [rcmd013w] /etc/hosts.equiv contains an attempted comment line # # hosts.equiv This file describes the names of the hosts which are # to be considered "equivalent", i.e. which are to be # trusted enought for allowing rsh(1) commands. # # hostname 203.167.5.30 # Checking accounts from /etc/passwd... # Performing check of .netrc files... # Checking accounts from /etc/passwd... # Performing check of PATH components... # Only checking user 'root' # Performing check of anonymous FTP... --ERROR-- [init004e] `0' is not executable (command GROUPS). root:x:0:0:Super User:/root:/bin/bash --WARN-- [ftp003w] ~ftp/etc/passwd contains accounts with passwords. # Performing checks of mail aliases... # Checking aliases from /etc/aliases. # Performing check of `cron' entries... # Performing check of 'services' and 'inetd'... # Checking services from /etc/services. --FAIL-- [inet003f] The port for service auth is assigned to service ident. --FAIL-- [inet003f] The port for service iso-tsap is assigned to service tsap. # Checking inetd entries from /etc/inetd.conf # Performing NFS exports check... # Performing check of system file permissions... --FAIL-- [perm007f] /etc/aliases should not have group read. --FAIL-- [perm007f] /etc/aliases should not have world read. --FAIL-- [perm007f] /etc/aliases.db should not have group read. --FAIL-- [perm007f] /etc/aliases.db should not have world read. --WARN-- [perm011w] /etc/hosts.lpd should not have group read. --WARN-- [perm011w] /etc/hosts.lpd should not have world read. --WARN-- [perm017w] /var/run/utmp should not have group write. --WARN-- [perm021w] Disk device /dev/hda5 has read/write access for group disk. --WARN-- [perm021w] Disk device /dev/hda7 has read/write access for group disk. --WARN-- [perm021w] Disk device /dev/hda6 has read/write access for group disk. --WARN-- [perm021w] Disk device /dev/hda9 has read/write access for group disk. # Performing signature check of system binaries... # Checking for known intrusion signs... # Performing check of files in system mail spool... # Performing system specific checks... # Performing checks for Linux/2... # Running './scripts/check_sendmail'... # Checking sendmail... # Checking setuid executables... ../include/libc-symbols.h ../include/libintl.h ---------strippeddown to just show example warning messages --WARN-- [fsys002w] setuid program /bin/su has relative pathnames. --WARN-- [fsys002w] setuid program /opt/kde/bin/kvt has relative pathnames. --WARN-- [fsys002w] setuid program /sbin/cardctl has relative pathnames. --WARN-- [fsys002w] setuid program /usr/X11R6/bin/Xwrapper has relative pathnames. --WARN-- [fsys002w] setuid program /usr/X11R6/bin/dotlock has relative pathnames. --WARN-- [fsys002w] setuid program /usr/bin/disable-paste has relative pathnames. --WARN-- [fsys002w] setuid program /usr/bin/ncpmount has relative pathnames. --WARN-- [fsys002w] setuid program /usr/bin/ncpumount has relative pathnames. --WARN-- [fsys002w] setuid program /usr/bin/nwsfind has relative pathnames. --WARN-- [fsys002w] setuid program /usr/bin/screen-3.9.5 has relative pathnames. ../iconv/loop.c ../iconv/skeleton.c ../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.. ../sysdeps/i386/dl-machine.h --WARN-- [fsys002w] setuid program /usr/bin/seejpeg has relative pathnames. /../ --WARN-- [fsys002w] setuid program /usr/bin/uucp has relative pathnames. /../ --WARN-- [fsys002w] setuid program /usr/bin/uustat has relative pathnames. /../ --WARN-- [fsys002w] setuid program /usr/bin/uux has relative pathnames. --WARN-- [fsys002w] setuid program /usr/lib/fax/hfaxd has relative pathnames. /../ --WARN-- [fsys002w] setuid program /usr/lib/uucp/uucico has relative pathnames. /../ /../ --WARN-- [fsys002w] setuid program /usr/lib/uucp/uuxqt has relative pathnames. --WARN-- [fsys002w] setuid program /usr/local/bin/ssh-signer2 has relative pathnames. --WARN-- [fsys002w] setuid program /usr/sbin/ntop has relative pathnames. -r-s--x--x root root /usr/bin/su1 -r-sr-s--- root root /usr/sbin/ntop -r-sr-sr-x root lp /usr/sbin/lpc -r-sr-sr-x uucp uucp /usr/lib/uucp/uucico -r-sr-sr-x uucp uucp /usr/lib/uucp/uuxqt -r-sr-xr-- news uucp /usr/lib/news/bin/rnews -r-sr-xr-- root news /usr/lib/news/bin/inndstart -rws--x--x root bin /usr/bin/seejpeg -rws--x--x root root /usr/local/bin/ssh-signer2 -rwsr-sr-- root dialout /usr/sbin/pppd -rwsr-sr-x root mail /usr/X11R6/bin/dotlock -rwsr-sr-x root root /usr/bin/fix132x43 -rwsr-sr-x root root /usr/bin/xaos -rwsr-xr-- root dialout /usr/sbin/dip -rwsr-xr-x man root /usr/bin/man -rwsr-xr-x man root /usr/bin/mandb -rwsr-xr-x root root /opt/kde/bin/kcheckpass -rwsr-xr-x root root /opt/kde/bin/konsole_grantpty -rwsr-xr-x root root /usr/X11R6/bin/dga -rwsr-xr-x root root /usr/bin/disable-paste -rwsr-xr-x root root /usr/bin/lpstat -rwsr-xr-x root root /usr/bin/ncpmount -rwsr-xr-x root root /usr/bin/ncpumount -rwsr-xr-x root root /usr/bin/screen-3.9.5 -rwsr-xr-x root root /usr/bin/sudo -rwsr-xr-x root root /usr/bin/vboxbeep -rwsr-xr-x root root /usr/bin/ziptool -rwsr-xr-x root root /usr/lib/fax/hfaxd -rwsr-xr-x root root /usr/lib/pt_chown -rwsr-xr-x root root /usr/lib/vga/demos/accel -rwsr-xr-x root root /usr/lib/vga/demos/addmodetest -rwsr-xr-x root root /usr/lib/vga/demos/bankspeed -rwsr-xr-x root root /usr/lib/vga/demos/bg_test -rwsr-xr-x root root /usr/lib/vga/demos/eventtest -rwsr-xr-x root root /usr/lib/vga/demos/forktest -rwsr-xr-x root root /usr/lib/vga/demos/fun -rwsr-xr-x root root /usr/lib/vga/demos/joytest -rwsr-xr-x root root /usr/lib/vga/demos/keytest -rwsr-xr-x root root /usr/lib/vga/demos/linearfork -rwsr-xr-x root root /usr/lib/vga/demos/linearspeed -rwsr-xr-x root root /usr/lib/vga/demos/lineart -rwsr-xr-x root root /usr/lib/vga/demos/mjoytest -rwsr-xr-x root root /usr/lib/vga/demos/mousetest -rwsr-xr-x root root /usr/lib/vga/demos/plane -rwsr-xr-x root root /usr/lib/vga/demos/printftest -rwsr-xr-x root root /usr/lib/vga/demos/scrolltest -rwsr-xr-x root root /usr/lib/vga/demos/speedtest -rwsr-xr-x root root /usr/lib/vga/demos/spin -rwsr-xr-x root root /usr/lib/vga/demos/svidtune -rwsr-xr-x root root /usr/lib/vga/demos/testaccel -rwsr-xr-x root root /usr/lib/vga/demos/testgl -rwsr-xr-x root root /usr/lib/vga/demos/testlinear -rwsr-xr-x root root /usr/lib/vga/demos/vgatest -rwsr-xr-x root root /usr/lib/vga/demos/wrapdemo -rwsr-xr-x root tty /opt/kde/bin/kvt # Checking setgid executables... --CONFIG-- [fsys003c] No setgid list... listing all setgid files # Checking unusual file names... # Looking for unusual device files... --WARN-- [fsys006a] Unexpected device files found: lrwxrwxrwx 1 root root 10 Feb 23 14:02 /tmp/.XF86Setup281/499388-2abe83ba/mouse -> /dev/psaux crw-rw-rw- 1 root root 1, 3 Dec 7 17:08 /usr/local/ftp/dev/null # Checking symbolic links... # Checking for writable directories... --INFO-- [fsys008i] The following directories are world writable: /opt/kde/share/apps/kscd/cddb/blues/ /opt/kde/share/apps/kscd/cddb/classical/ /opt/kde/share/apps/kscd/cddb/country/ /opt/kde/share/apps/kscd/cddb/data/ /opt/kde/share/apps/kscd/cddb/folk/ /opt/kde/share/apps/kscd/cddb/jazz/ /opt/kde/share/apps/kscd/cddb/misc/ /opt/kde/share/apps/kscd/cddb/newage/ /opt/kde/share/apps/kscd/cddb/reggae/ /opt/kde/share/apps/kscd/cddb/rock/ /opt/kde/share/apps/kscd/cddb/soundtrack/ /usr/src/packages/BUILD/ /usr/src/packages/RPMS/ /usr/src/packages/RPMS/alpha/ /usr/src/packages/RPMS/i386/ /usr/src/packages/RPMS/noarch/ /usr/src/packages/RPMS/ppc/ /usr/src/packages/SOURCES/ /usr/src/packages/SPECS/ /usr/src/packages/SRPMS/ /var/X11R6/scores/ /var/cache/fonts/ /var/cache/fonts/pk/ /var/cache/fonts/source/ /var/cache/fonts/tfm/ /var/state/xemacs/lock/ --WARN-- [xxxxx] The following files are unowned: /home/wen/themes/Backgrounds/matrix-bg.jpg /home/wen/themes/Pixmaps # Performing check of embedded pathnames... --WARN-- [embed001w] Path `/proc/self/exe' contains `/var/src/tiger-2.2.4p1' which is not owned by root (owned by 2566). Embedded references in: /bin/ash.static->/default(PATH) /bin/rpm->/default(PATH) /bin/sash->/default(PATH) /usr/bin/gperf->/default(PATH) /usr/bin/mad->/default(PATH) /usr/bin/mcp->/default(PATH) /usr/bin/mln->/default(PATH) /usr/bin/mmv->/default(PATH) /usr/bin/rpm2cpio->/default(PATH) /usr/bin/seejpeg->/default(PATH) /usr/bin/statserial->/default(PATH) /usr/bin/targ->/default(PATH) /usr/bin/tarl->/default(PATH) /usr/bin/wdiff->/default(PATH) --WARN-- [embed001w] Path `/usr/lib/news/inews' contains `/usr/lib/news' which is not owned by root (owned by news). Embedded references in: /usr/bin/emacs->/default(PATH) --WARN-- [embed003w] Path `/usr/lib/news/inews' contains `/usr/lib/news' which is group `news' writable. Embedded references in: /usr/bin/emacs->/default(PATH) # Running Crack on password files... Crack 5.0a: The Password Cracker. (c) Alec Muffett, 1991, 1992, 1993, 1994, 1995, 1996 System: Linux wen 2.2.13 #1 Mon Nov 8 15:08:22 CET 1999 i686 unknown Home: /usr/local/src/c50a Invoked: /usr/local/src/c50a/Crack /usr/local/src/c50a/run/tmppass Stamp: linux-2-unknown Crack: making utilities in run/bin/linux-2-unknown find . -name "*~" -print | xargs -n50 rm -f ( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done ) make[1]: Entering directory `/var/src/c50a/src/lib' rm -f dawglib.o debug.o rules.o stringlib.o *~ make[1]: Leaving directory `/var/src/c50a/src/lib' make[1]: Entering directory `/var/src/c50a/src/libdes' /bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs* *.old \ *.bak destest rpw des speed make[1]: Leaving directory `/var/src/c50a/src/libdes' make[1]: Entering directory `/var/src/c50a/src/util' rm -f *.o *~ make[1]: Leaving directory `/var/src/c50a/src/util' make[1]: Entering directory `/var/src/c50a/src/lib' make[1]: `../../run/bin/linux-2-unknown/libc5.a' is up to date. make[1]: Leaving directory `/var/src/c50a/src/lib' make[1]: Entering directory `/var/src/c50a/src/util' all made in util make[1]: Leaving directory `/var/src/c50a/src/util' Crack: The dictionaries seem up to date... Crack: Sorting out and merging feedback, please be patient... Crack: Merging password files... Crack: Creating gecos-derived dictionaries mkgecosd: making non-permuted words dictionary mkgecosd: making permuted words dictionary Crack: launching: cracker -kill run/Kwen.20236 Done ---- passwords cracked as of Wed Mar 1 11:14:20 PHT 2000 ---- Guessed gdm [] Gnome Display Manager [/usr/local/src/c50a/run/tmppass /bin/bash] ---- done ---- find . -name "*~" -print | xargs -n50 rm -f ( cd src; for dir in * ; do ( cd $dir ; make clean ) ; done ) make[1]: Entering directory `/var/src/c50a/src/lib' rm -f dawglib.o debug.o rules.o stringlib.o *~ make[1]: Leaving directory `/var/src/c50a/src/lib' make[1]: Entering directory `/var/src/c50a/src/libdes' /bin/rm -f *.o tags core rpw destest des speed libdes.a .nfs* *.old \ *.bak destest rpw des speed make[1]: Leaving directory `/var/src/c50a/src/libdes' make[1]: Entering directory `/var/src/c50a/src/util' rm -f *.o *~ make[1]: Leaving directory `/var/src/c50a/src/util' scripts/plaster scripts/fbmerge rm -f run/[DIEGTKM]* rm -f run/dict/gecos.* rm -f run/dict/gcperm.* --------[End Tiger Exhibit]---------------------- --------[exhibit logcheck email]---------------------- From root@host.vasia.com Thu Mar 2 13:30:18 2000 Return-Path: Received: (from root@localhost) by host.vasia.com (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) id NAA00327 for root; Thu, 2 Mar 2000 13:30:18 +0800 Date: Thu, 2 Mar 2000 13:30:18 +0800 From: root Message-Id: <200003020530.NAA00327@host.vasia.com> To: root@host.vasia.com Subject: host 03/02/00:13.30 ACTIVE SYSTEM ATTACK! Status: RO Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= Mar 2 11:39:21 host sendmail[330]: NOQUEUE: IDENT:JqPAqNOv4vSuevSGQJUChmMFJFrlozr7@panix.com [166.84.0.226]: VRFY root [rejected] Mar 2 11:39:27 host sendmail[330]: NOQUEUE: IDENT:JqPAqNOv4vSuevSGQJUChmMFJFrlozr7@panix.com [166.84.0.226]: EXPN root [rejected] Mar 2 11:39:40 host sendmail[330]: NOQUEUE: IDENT:JqPAqNOv4vSuevSGQJUChmMFJFrlozr7@panix.com [166.84.0.226]: VRFY guest [rejected] Mar 2 13:25:14 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: VRFY ROOT [rejected] Mar 2 13:25:19 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: EXPN root [rejected] Mar 2 13:25:26 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: VRFY guest [rejected] Security Violations =-=-=-=-=-=-=-=-=-= Mar 2 13:24:41 host proftpd[242]: host.vasia.com (localhost.vasia.com[127.0.0.1]) - USER Minime (Login failed): Can't find user. Mar 2 13:24:45 host in.telnetd[245]: refused connect from root@216.226.244.29 Mar 2 13:24:53 host proftpd[248]: refused connect from root@216.226.244.29 Mar 2 13:25:14 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: VRFY ROOT [rejected] Mar 2 13:25:19 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: EXPN root [rejected] Mar 2 13:25:26 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: VRFY guest [rejected] Mar 2 13:25:33 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: EXPN guest [rejected] Unusual System Events =-=-=-=-=-=-=-=-=-=-= Mar 2 13:18:52 host init: Switching to runlevel: 6 Mar 2 13:20:15 host inetd[137]: shell/tcp: unknown service Mar 2 13:20:15 host inetd[137]: http-rman/tcp: unknown service Mar 2 13:20:17 host sendmail[162]: starting daemon (8.9.3): SMTP+queueing@00:30:00 Mar 2 13:20:17 host in.identd[174]: started Mar 2 13:24:33 host in.telnetd[238]: connect from root@127.0.0.1 Mar 2 13:24:38 host proftpd[242]: connect from root@127.0.0.1 Mar 2 13:24:41 host proftpd[242]: host.vasia.com (localhost.vasia.com[127.0.0.1]) - USER Minime (Login failed): Can't find user. Mar 2 13:24:42 host proftpd[242]: host.vasia.com (localhost.vasia.com[127.0.0.1]) - FTP session closed. Mar 2 13:24:45 host in.telnetd[245]: refused connect from root@216.226.244.29 Mar 2 13:24:53 host proftpd[248]: refused connect from root@216.226.244.29 Mar 2 13:25:14 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: VRFY ROOT [rejected] Mar 2 13:25:19 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: EXPN root [rejected] Mar 2 13:25:26 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: VRFY guest [rejected] Mar 2 13:25:33 host sendmail[251]: NOQUEUE: root@host.vasia.com [216.226.244.29]: EXPN guest [rejected] -------- end exhibit --------