Hey everyone, Remember last week (around Feb 5), when those wierd emails showed up from me and I thought my mail server had been cracked? Well, now I'm not so sure. I was looking over the logs again, to try and puzzle out what happened, and I realized something. All the entries showing an Internet IP address logging into my mail server were ME! I forgot that I had my pop server address listed as sildara.dyndns.org, and that FQDN resolves to my own static IP address. At first I didn't catch it, but then I realized, that there is no way someone could spoof their address to be the same as mine. Also, the connections were occurring at ten-minute intervals, the interval at which Evolution checks all my accounts. So, my own TCP packets were going out through my DSL router looking for my own static IP address. As soon as they hit the router's external interface with that IP address, they were NAT'd back into my LAN server by the router and checking my email. All this, of course, still does not explain the strange messages that almost certainly came from either my laptop or my server (which has a fairly complete backup of my laptop's home directory in my server-based home directory). Unfortunately, I have not yet seen anything suspicious in the logs, so I am somewhat stuck for clues. I haven't yet wiped the server, because i need my website to stay up for a couple more weeks, and just plain don't have time to do the job right at the moment. I already run snort (and have since day one), and it has logged lots of IP addresses and blocked them. On the 5th, when this all came to light, I re-ran tripwire, and it didn't show any unexpected changes. If anyone has any other ideas, please feel free to share. Dave -- Beware the wrath of dragons, for you are crunchy, and good with ketchup. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020211/051a5611/attachment.pgp