Mailinglist Archive: opensuse (3637 mails)

< Previous Next >
Re: [SLE] hacked?
  • From: Anders Johansson <andjoh@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 3 May 2001 04:26:55 +0200
  • Message-id: <200105030226.f432QtG27133@xxxxxxxxxxxxxxxxxxxxx>
A Brazilian gentleman(?) portscanned you, found rlogind to be active, and
made a half-hearted attempt at getting in. If this is all the activity you
have from these daemons, I'd hazard a guess you haven't been hacked.

If you haven't been monitoring your logs regularly, I wouldn't trust their
integrity, however. A hacker's first goal is to cover his tracks. Even if you
can't find any more traces of intrusion, I recommend a complete reinstall,
and this time, secure your box before connecting it to the net.

Regards
Anders

On Thursday 03 May 2001 04:03, Claudio E. Elicker wrote:
> dizzy73 wrote:
> > post the pertinant info from the log file
>
> cat /var/log/messages | grep 200.204.201.138 > suspectip.log
>
> It's here:
>
> Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on
> illegal port
> Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on
> illegal port
>
> Except for the last 2 lines, this was already included in my original
> posting.
>
> TIA
> Claudio

< Previous Next >