Mailinglist Archive: opensuse (3637 mails)

< Previous Next >
Re: [SLE] hacked?
  • From: dizzy73 <dizzy73@xxxxxxxxxx>
  • Date: Thu, 03 May 2001 00:12:50 -0400
  • Message-id: <3AF0DAC2.50038946@xxxxxxxxxx>
well... to me (and as others have surmised) looks like you were simply
portscanned, not a problem. The list below gives you the services to be
disabled in inetd.conf. If you look at the time frames they are all close
and sequential. So now you know what to look for.

you want to make your box more secure by disabling services, be sure to
have a good password for root and possibly setup a fire wall. I think
Jerries idea of the chkrootkit is good (I know he wouldnt steer you
wrong) but Ive never used it. I think using harden suse is overkill for a
dialup box.
You have to figgure its going to take someone "some time" to do what they
need to do and if you're on a dialup you get a new ip everytime you
connect (making it difficult) to revisit.
you could also try the port sentry or even do a script that greps the
message file and mails you when a -connect- is make.

If you really want to test your security hang out on the linux chat rooms
<grin>

My opinion is, its all really in fun and people just experiminting I mean
on a dialup box what can someone else do ? trash your files? Put your
machine in Zombie mode? On a single user system, you unplug the machine
from the net and reinstall the bin files from cd. People are just testing
the waters. Imagine the rush if the guy got a prompt on a remote box ;-)

I dont think you have anything to worry about, but a lesson for all of us
on some tools, what to look for and how to respond
Oh... another suggestion is to install nmap from the suse cd and learn
how to use it, you can scan your own box.
have fun
rob

"Claudio E. Elicker" wrote:

> dizzy73 wrote:
> >
> > post the pertinant info from the log file
> >
>
> cat /var/log/messages | grep 200.204.201.138 > suspectip.log
>
> It's here:
>
> Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on
> illegal port
> Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138
> (200.204.201.138)
> Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on
> illegal port
>
> Except for the last 2 lines, this was already included in my original
> posting.
>
> TIA
> Claudio
>
> --
> To unsubscribe send e-mail to suse-linux-e-unsubscribe@xxxxxxxx
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the FAQ at http://www.suse.com/support/faq and the
> archives at http://lists.suse.com


< Previous Next >