Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse (1983 mails)

< Previous Next >
Re: [SuSE Linux] security breaches... Help!
  • From: wizard01@xxxxxxxxxxxxxxxxxxxxxx (wizard01@xxxxxxxxxxxxxxxxxxxxxx)
  • Date: Tue, 1 Dec 1998 10:26:04 +0100
  • Message-id: <199812011533.KAA09019@xxxxxxxxxxxxxxxxxxxxxxxxxx>



Based off of the ip (MAYBE it isn't spoofed) you should be able to
go to the ISP with the timestamp and make a complaint. According
to my lookup the machine/port name is: R-G-189-
128.access.net.il . The 192.116.189.128 and the
192.116.194.173 belong to access.net.il, the address
192.116.189.1 is musso.inter.net.il .
Just remember to reference your timestamp with GMT.
When I've had problems with a non-spoofed IP and sent a
log, complaint and timestamp to the admin of the ISP
I've ALWAYS gotten results.

>
> On a several occasions, somebody has managed to break into my networked
> SuSE Linux box and do some damage. On two occasions, the damage has
> made it impossible for me to log in to my own site.
>
> Yesterday, for example, I found the following entries in /etc/passwd.
>
> slage::0:0::/root:/bin/bash
> Slage::999:999::/tmp:/bin/bash
>
> I certainly didn't put these lines in my /etc/passwd file. In
> /var/log/warn and in /var/log/messages I find a lot of stuff like this.
>
> Nov 29 04:48:20 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:37 sophia login[2221]: invalid password for `UNKNOWN' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:48:43 sophia login[2221]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:50:16 sophia login[2228]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:03 sophia login[2231]: invalid password for `root' on
> `ttyp0' from `192.116.194.173'
> Nov 29 04:51:08 sophia login[2232]: invalid password for `root' on
> `ttyp1' from `192.117.189.128'
> Nov 29 04:53:55 sophia login[2245]: no shadow password for `Slage' on
> `ttyp0' from `192.117.189.128'
>
> I don't know how this person managed to add lines to my /etc/passwd
> file. By the time s/he was done, I couldn't log into my own system
> under *any* legitimate name and passwd, and had to boot from a floppy
> and reinstall a bunch of stuff. Is that some sort of security device
> kicking in? If so, what is the best way of undoing the damage?
>
> Can anyone advise me about the best method of preventing this sort of
> thing?
>
> Thanks.
>
> Wes
> -
> To get out of this list, please send email to majordomo@xxxxxxxx with
> this text in its body: unsubscribe suse-linux-e
>

-
To get out of this list, please send email to majordomo@xxxxxxxx with
this text in its body: unsubscribe suse-linux-e

< Previous Next >