• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1160
  • Last Modified:

xinetd messages in /var/log/messages

We seem to be getting a lot of these entries in /var/log/messages (every few seconds).

Does this look like incoming activity (i.e. machines looking to send smtp to us) or outgoing (maybe some virus spamming outbound)?

Apr 26 12:34:47 mybox xinetd[3475]: START: smtp pid=22547 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22548 from=x.x.x.x
Apr 26 12:34:49 mybox xinetd[3475]: START: smtp pid=22549 from=x.x.x.x
Apr 26 12:34:50 mybox xinetd[3475]: START: smtp pid=22550 from=x.x.x.x
Apr 26 12:34:52 mybox xinetd[3475]: START: smtp pid=22551 from=x.x.x.x
Apr 26 12:34:53 mybox xinetd[3475]: EXIT: smtp status=0 pid=22500 duration=31(sec)
Apr 26 12:34:56 mybox xinetd[3475]: EXIT: smtp status=0 pid=22502 duration=32(sec)

It looks like these are being generated by a bunch rblsmtpd processes, e.g.

root     22954  3475  0 12:44 ?        00:00:00 /usr/sbin/rblsmtpd -r whois.rfc-ignorant.org -r bl.spamcop.net -r sbl.spamhaus.org -r xbl.spamhaus.org -r psbl.surriel.com /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw /var/qmail/bin/true

Which in turn are children of
root      3475     1  0  2009 ?        00:45:15 xinetd -stayalive -pidfile /var/run/xinetd.pid

Can someone offer an explanation?

Thanks
BT
0
brothertom
Asked:
brothertom
  • 2
  • 2
3 Solutions
 
thedwillCommented:
looks pretty normal to me.  Are all the IP (x.x.x.x) the same?  
Could be the big bad Internet trying to relay or legitimate inbound traffic.

0
 
brothertomAuthor Commented:
No, the x.x.x.x are different.
What I really need to know is this - does this log entry indicate incoming SMTP or outgoing SMTP attempts.
Alsl, I don't understand what xinetd is bringing to the party.

0
 
joolsCommented:
It seems to be coming from rblsmtp so may be worth checking the software, it seems like some sort of blacklisting tool but I've not used it myself.
0
 
brothertomAuthor Commented:
I believe its part of the anti-spam mechanism.   Any thoughts on the direction of STMP traffic shown in the log.  I assuming its incoming because there would be no need to log outgoing SMTP
0
 
joolsCommented:
have you done whois/nslookups on the smtp ip addresses?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now