PDA

View Full Version : !!LSM Alert!!

vps-vince
11-06-2005, 05:16 PM
Hi all,
Over last few days I am receiving regular automated alert messages:

Subject: !!LSM Alert!!

This is an automated alert generated from usa.hostbaron.com. This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
> tcp 0 0 (IP removed):62488 0.0.0.0:* LISTEN -

Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets


Support have checked and confirmed there is nothing in regards of security to worry about, but wondering if anyone else gets these like 6 -> 10 times a per day?! :confused:

Until 3 days ago, I've only ever seen one of these in more than 4 months of being here?

Best wishes,

- Vince
PvUtrix
11-06-2005, 05:51 PM
Never got one of these...
ndndixie
11-06-2005, 06:33 PM
Nothing here, I've never seen one either.
Zaf
11-06-2005, 06:52 PM
I havent received this either, but that made me wonder if mine was working at all. So I rechecked its settings and know that its working, only thing is nothing has been reported so far.Following is a summary of new Internet Server Sockets:
> tcp 0 0 (IP removed):62488 0.0.0.0:* LISTEN - If Support has investigated and confirm that its not a security issue, you should regenerate your base reference files again by running /usr/local/lsm/lsm -g. That will stop these warning mails which get annoying at times.
vps-vince
11-07-2005, 08:13 PM
OK, I've now run the command as you suggested Zaf.

[~]# /usr/local/lsm/lsm -g
LSM version 0.2 <lsm@r-fx.org>
Copyright (C) 2004, R-fx Networks
2004, Ryan MacDonald
This program may be freely redistributed under the terms of the GNU GPL

generated base comparison files


Hopefully it will help, as I am getting a little fed up with the messages - over 30 more since last post! :confused:

- Vince
vps-vince
11-08-2005, 07:04 PM
Nope, still getting them.

Other suggestions from support are:

It could be one of your user's scripts which is listening at that port at some times.

we can try disabling passive ftp and see if LSM is giving out those warning because of the passive FTP connections to the server itself.

Not being a linux guru, I am suprised that there is no way to trace this in any of the logs :confused: but only by 'catching' it at the exact time it happens!

Any other help appreciated.

Thanks,

- Vince
Zaf
11-08-2005, 09:22 PM
Nope, still getting them.Think when you ran that command, that port was not listening. When I went up looking, i found four files where it stores the data:
/usr/local/lsm/dat/netserv.list
/usr/local/lsm/dat/netst
/usr/local/lsm/dat/udsserv.list
/usr/local/lsm/dat/udsst

Try editing these files directly and enter the details of that port :)