Mailinglist Archive: opensuse (3637 mails)

< Previous Next >
Re: [SLE] hacked?
  • From: dizzy73 <dizzy73@xxxxxxxxxx>
  • Date: Wed, 02 May 2001 20:36:00 -0400
  • Message-id: <3AF0A7F0.7BC96BEE@xxxxxxxxxx>
Is the machine on line all the time? If so, then you really should have
precautions such as
a firewall
applying harden suse
and as Nick Z suggested edting necessary files (removing un necessary
services that would appear running on your machine)

If the machine is not on all the time the risk is greatly minimised (still
a good idea to edit the suggested files though)
although probably not necessary to run the harden suse as that just really
locks down your machine (un necesarillly so)

popper is a mail program that 'pops" (post office protocol) mails

initially it looked suspicious (from brazil) however I see you are from
brazil... could this be your isp ;-)

I would suggest you try this

cat /var/log/messages |grep 200.204.201.138 >suspectip.log

and post it to the list

my guess is this is your isp

rob

here is a lookup info

btw - you have a funky mail address --> @w3.nh.conex.com.br
##########################################
RNP (Brazilian Research Network) (NETBLK-BRAZIL-BLK2)
These addresses have been further assigned to Brazilian users.
Contact information can be found at the WHOIS server located
at whois.registro.br and at http://whois.nic.br
BR

Netname: BRAZIL-BLK2
Netblock: 200.128.0.0 - 200.255.255.255
Maintainer: RNP

Coordinator:
Gomide, Alberto Courrege (ACG8-ARIN) gomide@xxxxxx
+55 19 9119-0304 (FAX) +55 19 9119-0304

Domain System inverse mapping provided by:

NS.DNS.BR 143.108.23.2
NS1.DNS.BR 200.255.253.234
NS2.DNS.BR 200.19.119.99

Record last updated on 11-Apr-2001.
Database last updated on 1-May-2001 22:46:49 EDT.
#########################################################

and


Tracing route to 200.204.201.138 over a maximum of 30 hops

1 362 ms 198 ms 196 ms loopback0.ct7.ts.connix.net
[xxx.xx.145.129]

2 593 ms 225 ms 168 ms fastether0-0.hfd-03.rt.thebiz.connix.net
[xxx.xx.157.225]

3 664 ms 198 ms 176 ms czcore.cyberzone.net [209.150.0.1]

4 168 ms 200 ms 1024 ms hfd3-cyberzone.pp.connix.net
[xxx.xx.159.201]

5 176 ms 174 ms 475 ms 901.Hssi5-0-0.GW1.HAR1.ALTER.NET
[137.39.148.21]

6 295 ms 225 ms 170 ms 564.ATM1-0.XR1.NYC1.ALTER.NET
[152.63.26.66]

7 367 ms 219 ms 599 ms 195.at-1-0-0.TR1.NYC8.ALTER.NET
[152.63.21.26]

8 547 ms 200 ms 201 ms 124.at-6-0-0.TR1.ATL5.ALTER.NET
[152.63.0.161]

9 248 ms 198 ms 224 ms 0.so-4-0-0.XR1.ATL5.ALTER.NET
[152.63.9.226]

10 819 ms 225 ms 196 ms 193.ATM6-0.GW5.ATL5.ALTER.NET [152.63.82.9]

11 695 ms 375 ms 1249 ms embratel-gw.customer.alter.net
[157.130.89.190]

12 350 ms 699 ms 351 ms ebt-P8-3-core01.spo.embratel.net.br
[200.230.0.102]

13 371 ms 726 ms 375 ms ebt-P3-0-dist05.spo.embratel.net.br
[200.230.0.169]

14 323 ms 574 ms 327 ms telesp-A1-2-32-dist05.spo.embratel.net.br
[200.228.240.18]

15 373 ms 350 ms 1225 ms
atm13-0-1-br-spo-co-rt1.public.telesp.net.br [200.205.254.37]

16 326 ms 349 ms 351 ms pos-10-3-br-spo-pd-rc1.public.telesp.net.br
[200.205.255.162]

17 526 ms 375 ms 774 ms 200.207.0.186

18 * * * Request timed out.

19 686 ms 401 ms 900 ms 200.204.201.138
#########################################################

elicker@xxxxxxxxx wrote:

> I never bothered to look /var/log/messages file until now.
>
> Just by curiosity I was browsing the file and I see the excerpt that
> follows.
>
> It seems that someone at 200.204.201.138 was trying to break in into my
> computer.
>
> My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No
> special security measures was taken.
>
> As I know nothing about security I am looking for some advice.
>
> Does this guy at 200.204.201.138 succeed? Was I hacked?
>
> What is "popper"? AFAIK there is nothing in my box with this name.
>
> Thanks a lot for any advice.
>
> Claudio
>
> --------------------------------
>
> /var/log/messages
>
> ---big snip---
>
> Apr 29 21:12:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x4
> magic=0x28a2c95d]
> Apr 29 21:12:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x4 magic=0x0]
> Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:34 yeh1 popper[1640]: error: cannot execute
> /usr/sbin/popper: No such file or directory
> Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on
> illegal port
> Apr 29 21:12:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x5
> magic=0x28a2c95d]
> Apr 29 21:12:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x5 magic=0x0]
> Apr 29 21:12:51 yeh1 fingerd[1641]: Client hung up - probable port-scan
> Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:13:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x6
> magic=0x28a2c95d]
> Apr 29 21:13:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x6 magic=0x0]
> Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:13:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x7
> magic=0x28a2c95d]
> Apr 29 21:13:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x7 magic=0x0]
> Apr 29 21:13:52 yeh1 telnetd[1648]: ttloop: read: Connection reset by
> peer
> Apr 29 21:14:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x8
> magic=0x28a2c95d]
> Apr 29 21:14:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x8 magic=0x0]
> Apr 29 21:14:24 yeh1 telnetd[1638]: ttloop: peer died: EOF
> Apr 29 21:14:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x9
> magic=0x28a2c95d]
> Apr 29 21:14:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x9 magic=0x0]
> Apr 29 21:15:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0xa
> magic=0x28a2c95d]
> Apr 29 21:15:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0xa magic=0x0]
>
> ---big snip---
>
> --
> To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the FAQ at http://www.suse.com/support/faq and the
> archives at http://lists.suse.com


< Previous Next >
Follow Ups
References