Is the machine on line all the time? If so, then you really should have precautions such as a firewall applying harden suse and as Nick Z suggested edting necessary files (removing un necessary services that would appear running on your machine) If the machine is not on all the time the risk is greatly minimised (still a good idea to edit the suggested files though) although probably not necessary to run the harden suse as that just really locks down your machine (un necesarillly so) popper is a mail program that 'pops" (post office protocol) mails initially it looked suspicious (from brazil) however I see you are from brazil... could this be your isp ;-) I would suggest you try this cat /var/log/messages |grep 200.204.201.138 >suspectip.log and post it to the list my guess is this is your isp rob here is a lookup info btw - you have a funky mail address --> @w3.nh.conex.com.br ########################################## RNP (Brazilian Research Network) (NETBLK-BRAZIL-BLK2) These addresses have been further assigned to Brazilian users. Contact information can be found at the WHOIS server located at whois.registro.br and at http://whois.nic.br BR Netname: BRAZIL-BLK2 Netblock: 200.128.0.0 - 200.255.255.255 Maintainer: RNP Coordinator: Gomide, Alberto Courrege (ACG8-ARIN) gomide@nic.br +55 19 9119-0304 (FAX) +55 19 9119-0304 Domain System inverse mapping provided by: NS.DNS.BR 143.108.23.2 NS1.DNS.BR 200.255.253.234 NS2.DNS.BR 200.19.119.99 Record last updated on 11-Apr-2001. Database last updated on 1-May-2001 22:46:49 EDT. ######################################################### and Tracing route to 200.204.201.138 over a maximum of 30 hops 1 362 ms 198 ms 196 ms loopback0.ct7.ts.connix.net [xxx.xx.145.129] 2 593 ms 225 ms 168 ms fastether0-0.hfd-03.rt.thebiz.connix.net [xxx.xx.157.225] 3 664 ms 198 ms 176 ms czcore.cyberzone.net [209.150.0.1] 4 168 ms 200 ms 1024 ms hfd3-cyberzone.pp.connix.net [xxx.xx.159.201] 5 176 ms 174 ms 475 ms 901.Hssi5-0-0.GW1.HAR1.ALTER.NET [137.39.148.21] 6 295 ms 225 ms 170 ms 564.ATM1-0.XR1.NYC1.ALTER.NET [152.63.26.66] 7 367 ms 219 ms 599 ms 195.at-1-0-0.TR1.NYC8.ALTER.NET [152.63.21.26] 8 547 ms 200 ms 201 ms 124.at-6-0-0.TR1.ATL5.ALTER.NET [152.63.0.161] 9 248 ms 198 ms 224 ms 0.so-4-0-0.XR1.ATL5.ALTER.NET [152.63.9.226] 10 819 ms 225 ms 196 ms 193.ATM6-0.GW5.ATL5.ALTER.NET [152.63.82.9] 11 695 ms 375 ms 1249 ms embratel-gw.customer.alter.net [157.130.89.190] 12 350 ms 699 ms 351 ms ebt-P8-3-core01.spo.embratel.net.br [200.230.0.102] 13 371 ms 726 ms 375 ms ebt-P3-0-dist05.spo.embratel.net.br [200.230.0.169] 14 323 ms 574 ms 327 ms telesp-A1-2-32-dist05.spo.embratel.net.br [200.228.240.18] 15 373 ms 350 ms 1225 ms atm13-0-1-br-spo-co-rt1.public.telesp.net.br [200.205.254.37] 16 326 ms 349 ms 351 ms pos-10-3-br-spo-pd-rc1.public.telesp.net.br [200.205.255.162] 17 526 ms 375 ms 774 ms 200.207.0.186 18 * * * Request timed out. 19 686 ms 401 ms 900 ms 200.204.201.138 ######################################################### elicker@email.com wrote:
I never bothered to look /var/log/messages file until now.
Just by curiosity I was browsing the file and I see the excerpt that follows.
It seems that someone at 200.204.201.138 was trying to break in into my computer.
My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken.
As I know nothing about security I am looking for some advice.
Does this guy at 200.204.201.138 succeed? Was I hacked?
What is "popper"? AFAIK there is nothing in my box with this name.
Thanks a lot for any advice.
Claudio
--------------------------------
/var/log/messages
---big snip---
Apr 29 21:12:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x4 magic=0x28a2c95d] Apr 29 21:12:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x4 magic=0x0] Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: error: cannot execute /usr/sbin/popper: No such file or directory Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x5 magic=0x28a2c95d] Apr 29 21:12:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x5 magic=0x0] Apr 29 21:12:51 yeh1 fingerd[1641]: Client hung up - probable port-scan Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x6 magic=0x28a2c95d] Apr 29 21:13:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x6 magic=0x0] Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x7 magic=0x28a2c95d] Apr 29 21:13:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x7 magic=0x0] Apr 29 21:13:52 yeh1 telnetd[1648]: ttloop: read: Connection reset by peer Apr 29 21:14:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x8 magic=0x28a2c95d] Apr 29 21:14:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x8 magic=0x0] Apr 29 21:14:24 yeh1 telnetd[1638]: ttloop: peer died: EOF Apr 29 21:14:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x9 magic=0x28a2c95d] Apr 29 21:14:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x9 magic=0x0] Apr 29 21:15:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0xa magic=0x28a2c95d] Apr 29 21:15:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0xa magic=0x0]
---big snip---
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com