I never bothered to look /var/log/messages file until now. Just by curiosity I was browsing the file and I see the excerpt that follows. It seems that someone at 200.204.201.138 was trying to break in into my computer. My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken. As I know nothing about security I am looking for some advice. Does this guy at 200.204.201.138 succeed? Was I hacked? What is "popper"? AFAIK there is nothing in my box with this name. Thanks a lot for any advice. Claudio -------------------------------- /var/log/messages ---big snip--- Apr 29 21:12:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x4 magic=0x28a2c95d] Apr 29 21:12:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x4 magic=0x0] Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: error: cannot execute /usr/sbin/popper: No such file or directory Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x5 magic=0x28a2c95d] Apr 29 21:12:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x5 magic=0x0] Apr 29 21:12:51 yeh1 fingerd[1641]: Client hung up - probable port-scan Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x6 magic=0x28a2c95d] Apr 29 21:13:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x6 magic=0x0] Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x7 magic=0x28a2c95d] Apr 29 21:13:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x7 magic=0x0] Apr 29 21:13:52 yeh1 telnetd[1648]: ttloop: read: Connection reset by peer Apr 29 21:14:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x8 magic=0x28a2c95d] Apr 29 21:14:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x8 magic=0x0] Apr 29 21:14:24 yeh1 telnetd[1638]: ttloop: peer died: EOF Apr 29 21:14:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x9 magic=0x28a2c95d] Apr 29 21:14:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x9 magic=0x0] Apr 29 21:15:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0xa magic=0x28a2c95d] Apr 29 21:15:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0xa magic=0x0] ---big snip---
On May 2, 2001 10:30 am, elicker@email.com wrote:
I never bothered to look /var/log/messages file until now.
Just by curiosity I was browsing the file and I see the excerpt that follows.
It seems that someone at 200.204.201.138 was trying to break in into my computer.
My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken.
As I know nothing about security I am looking for some advice.
Does this guy at 200.204.201.138 succeed? Was I hacked?
Doesn't look like it.
What is "popper"? AFAIK there is nothing in my box with this name.
Take a look at /etc/inetd.conf. It's for pop3. You really should edit at least /etc/inetd.conf /etc/hosts.allow /etc/hosts.deny Nick
----- Original Message -----
From:
I never bothered to look /var/log/messages file until now.
May I suggest that you install something like Logwatcher by Psionic? RElatively easy to set up and very helpful.
Just by curiosity I was browsing the file and I see the excerpt that follows.
It seems that someone at 200.204.201.138 was trying to break in into my computer.
Sure looks like it. Did you by chance run HARDEN_SUSE on this box?
My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken.
Whoops, probably no HArden_SuSE run, huh?
As I know nothing about security I am looking for some advice.
Does this guy at 200.204.201.138 succeed? Was I hacked?
It doesn't appear so. HOwever, you can never be sure, unless you keep an eye on security all the time.
What is "popper"? AFAIK there is nothing in my box with this name.
"Popper" is the POP mail server.
Thanks a lot for any advice.
Claudio
Good luck. Geordon
Download chkrootkit and install it as root. Then run it. It will locate all compromised files. Replace them with fresh installs from the CDs. JLK On Wednesday 02 May 2001 09:52, Geordon VanTassle wrote:
----- Original Message ----- From:
To: "SLE" Sent: Wednesday, May 02, 2001 9:30 AM Subject: [SLE] hacked? I never bothered to look /var/log/messages file until now.
May I suggest that you install something like Logwatcher by Psionic? RElatively easy to set up and very helpful.
Just by curiosity I was browsing the file and I see the excerpt that follows.
It seems that someone at 200.204.201.138 was trying to break in into my computer.
Sure looks like it. Did you by chance run HARDEN_SUSE on this box?
My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken.
Whoops, probably no HArden_SuSE run, huh?
As I know nothing about security I am looking for some advice.
Does this guy at 200.204.201.138 succeed? Was I hacked?
It doesn't appear so. HOwever, you can never be sure, unless you keep an eye on security all the time.
What is "popper"? AFAIK there is nothing in my box with this name.
"Popper" is the POP mail server.
Thanks a lot for any advice.
Claudio
Good luck. Geordon
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 2, 2001 11:30 am, elicker@email.com wrote:
I never bothered to look /var/log/messages file until now.
Just by curiosity I was browsing the file and I see the excerpt that follows.
It seems that someone at 200.204.201.138 was trying to break in into my computer.
My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken.
As I know nothing about security I am looking for some advice.
Does this guy at 200.204.201.138 succeed? Was I hacked?
What is "popper"? AFAIK there is nothing in my box with this name.
popper is for pop3 connections. It is called from inetd. Here is how I handle security. I feel relatively safe with this setup. - - - All mail to root is forwarded to me (very important and useful). Simply place a file called '.forward' in '/root' containing the email address you want messages forwarded to - - - The SuSE security scripts are installed and run every night. They are extremely thorough and will probably catch about 90%+ of all the skript-kiddiez out there someway or another as long as you read and understand the reports. They all assume that Linux == RedHat, hehheh - - - Scanlogd is installed and running. I grep messages for scanlogd every once in a while. - - - SuSEFirewall is running. I only let in ports that are absolutely necessary. Even though I have a mail server, the pop and IMAP ports are firewalled. I have Kmail set up to tunnel mail over SSH (I can explain that in more detail if anyone wishes). Open ports: http, domain (udp), smtp. I set up "trusted hosts" to the time server I use and allow time connections from it (required for ntp to work properly) - - - I am subscribed to the suse-security mailing list and I check every advisory - - - I run the YaST Online Updater at least every week (7.1 only, unfortunately) - - - I have disabled anything I don't use in /etc/inetd.conf - - - Remember that 'passwords' are inappropriately named. You should never use a word for one. Mix letters and numbers and make them such that they cannot be easily guessed by software with a dictionary - - - Only install trusted RPM files and avoid installing programs from tarballs. If your trusted source (SuSE) does not have that package in RPM, create one. This gives you the ability to 'verify' that programs have not been messed with If you suspect that someone has messed with you, you can check a number of things. Here's what I would do, in order: - - - type 'rpm -V psutils' and pray that it outputs nothing. If it spits filenames at you, the box probably has a rootkit installed and you should immediately back up your data and reinstall - - - Verify some other packages the same way as above: bash and nkitb, especially - - - Type 'ps aux | less' and check that every process should be there and verify the package the program is contained in. For example, if you see 'httpd' you can 'rpm -V `which httpd`' or the full path as seen in the ps output - - - If you're really paranoid, verify every single package on your system. I have done this a couple of times and it is a security procedure I recommended where I work when we suspect that something is awry. The scary part is, I'm not the most paranoid one here... - - - Look around my filesystem with 'mc.' Some rootkits modify 'ls' to hide themselves and mc is just faster. Look for any directories that begin with '.' The SuSE security scripts do a good job of reporting strange behaviour but nothing replaces looking around yourself if the scripts turn up something strange. Sounds like a mess of work, doesn't it? Note that if you protect yourself in the beginning you can save yourself from a ton of work in the end. I rarely have to go through the second list these days but I verify psutils from time to time. - - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68FeL+FOexA3koIgRAkeaAJ0RLWYz6CCjgLEsdF8KZoiU9MDvPgCdHHFP DFEybS8G0aqqJKu9GYyYMM8= =dLRy -----END PGP SIGNATURE-----
James Oakley wrote:
- - - type 'rpm -V psutils' and pray that it outputs nothing. If it spits filenames at you, the box probably has a rootkit installed and you should immediately back up your data and reinstall
- - - Verify some other packages the same way as above: bash and nkitb, especially
elicker@yeh1:~ > rpm -V psutils package psutils is not installed OK, psutils is not installed yet. elicker@yeh1:~ > rpm -V bash OK. elicker@yeh1:~ > rpm -V nkitb ..?..... /bin/ping6 ..?..... /usr/sbin/rpc.rstatd ..?..... /usr/sbin/timedc Ouch!!! Is this right? I manually extracted these files from SuSE CD to a test directory and run a diff against the installed ones. root@yeh1:/home/elicker > diff /bin/ping6 ./Testes/ping6 root@yeh1:/home/elicker > diff /usr/sbin/rpc.rstatd ./Testes/rpc.rstatd root@yeh1:/home/elicker > diff /usr/sbin/timedc ./Testes/timedc No differences was found. Why is "rpm -V" complaining? Thanks. Claudio
post the pertinant info from the log file rob "Claudio E. Elicker" wrote:
James Oakley wrote:
- - - type 'rpm -V psutils' and pray that it outputs nothing. If it spits filenames at you, the box probably has a rootkit installed and you should immediately back up your data and reinstall
dizzy73 wrote:
post the pertinant info from the log file
cat /var/log/messages | grep 200.204.201.138 > suspectip.log It's here: Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port Except for the last 2 lines, this was already included in my original posting. TIA Claudio
without a doubt he was trying to conect ,
run last to see if you see strange names
On Wed, 02 May 2001 23:03:54 -0300
"Claudio E. Elicker"
dizzy73 wrote:
post the pertinant info from the log file
cat /var/log/messages | grep 200.204.201.138 > suspectip.log
It's here:
Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port
Except for the last 2 lines, this was already included in my original posting.
TIA Claudio
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-- SuSe 7.0 Linux 2.4.2 i686 Wed May 2 22:05:00 EDT 2001
A Brazilian gentleman(?) portscanned you, found rlogind to be active, and made a half-hearted attempt at getting in. If this is all the activity you have from these daemons, I'd hazard a guess you haven't been hacked. If you haven't been monitoring your logs regularly, I wouldn't trust their integrity, however. A hacker's first goal is to cover his tracks. Even if you can't find any more traces of intrusion, I recommend a complete reinstall, and this time, secure your box before connecting it to the net. Regards Anders On Thursday 03 May 2001 04:03, Claudio E. Elicker wrote:
dizzy73 wrote:
post the pertinant info from the log file
cat /var/log/messages | grep 200.204.201.138 > suspectip.log
It's here:
Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port
Except for the last 2 lines, this was already included in my original posting.
TIA Claudio
well... to me (and as others have surmised) looks like you were simply portscanned, not a problem. The list below gives you the services to be disabled in inetd.conf. If you look at the time frames they are all close and sequential. So now you know what to look for. you want to make your box more secure by disabling services, be sure to have a good password for root and possibly setup a fire wall. I think Jerries idea of the chkrootkit is good (I know he wouldnt steer you wrong) but Ive never used it. I think using harden suse is overkill for a dialup box. You have to figgure its going to take someone "some time" to do what they need to do and if you're on a dialup you get a new ip everytime you connect (making it difficult) to revisit. you could also try the port sentry or even do a script that greps the message file and mails you when a -connect- is make. If you really want to test your security hang out on the linux chat rooms <grin> My opinion is, its all really in fun and people just experiminting I mean on a dialup box what can someone else do ? trash your files? Put your machine in Zombie mode? On a single user system, you unplug the machine from the net and reinstall the bin files from cd. People are just testing the waters. Imagine the rush if the guy got a prompt on a remote box ;-) I dont think you have anything to worry about, but a lesson for all of us on some tools, what to look for and how to respond Oh... another suggestion is to install nmap from the suse cd and learn how to use it, you can scan your own box. have fun rob "Claudio E. Elicker" wrote:
dizzy73 wrote:
post the pertinant info from the log file
cat /var/log/messages | grep 200.204.201.138 > suspectip.log
It's here:
Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port
Except for the last 2 lines, this was already included in my original posting.
TIA Claudio
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Hmmmm Sounds like a Scan to me or looking for security Holes. I personally along with shutting down services and personnally removing everything dealing with NFS, I also use the portsentry RPM from Red Hat 6.2 and tune it to Medium. The Install Script pukes at the end, but it is after it has installed everything(At least on 7.0). That is what I do. :-) Also I agree download the Root Kit Checker. Just incase. Chris Brandstetter "Claudio E. Elicker" wrote:
dizzy73 wrote:
post the pertinant info from the log file
cat /var/log/messages | grep 200.204.201.138 > suspectip.log
It's here:
Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port
Except for the last 2 lines, this was already included in my original posting.
TIA Claudio
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 2, 2001 09:03 pm, Claudio E. Elicker wrote:
elicker@yeh1:~ > rpm -V psutils package psutils is not installed OK, psutils is not installed yet.
Whoops, that should have been rpm -V ps.
elicker@yeh1:~ > rpm -V nkitb ..?..... /bin/ping6 ..?..... /usr/sbin/rpc.rstatd ..?..... /usr/sbin/timedc Ouch!!! Is this right?
I think it's normal. The important thing is that it passed the MD5 sum check. On mine, timedc has a question mark. The only difference I can see is in the mtime. Maybe it's returning a '?' because of a subtle reiserfs bug? Either way, I'm not worried about it. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68WnD+FOexA3koIgRAulOAKCadtQ30teiqbaM9U8/s25MIb/DxACfc0LC rTsipV0PZsBaFr2jT/AtM0w= =QFwu -----END PGP SIGNATURE-----
Is the machine on line all the time? If so, then you really should have precautions such as a firewall applying harden suse and as Nick Z suggested edting necessary files (removing un necessary services that would appear running on your machine) If the machine is not on all the time the risk is greatly minimised (still a good idea to edit the suggested files though) although probably not necessary to run the harden suse as that just really locks down your machine (un necesarillly so) popper is a mail program that 'pops" (post office protocol) mails initially it looked suspicious (from brazil) however I see you are from brazil... could this be your isp ;-) I would suggest you try this cat /var/log/messages |grep 200.204.201.138 >suspectip.log and post it to the list my guess is this is your isp rob here is a lookup info btw - you have a funky mail address --> @w3.nh.conex.com.br ########################################## RNP (Brazilian Research Network) (NETBLK-BRAZIL-BLK2) These addresses have been further assigned to Brazilian users. Contact information can be found at the WHOIS server located at whois.registro.br and at http://whois.nic.br BR Netname: BRAZIL-BLK2 Netblock: 200.128.0.0 - 200.255.255.255 Maintainer: RNP Coordinator: Gomide, Alberto Courrege (ACG8-ARIN) gomide@nic.br +55 19 9119-0304 (FAX) +55 19 9119-0304 Domain System inverse mapping provided by: NS.DNS.BR 143.108.23.2 NS1.DNS.BR 200.255.253.234 NS2.DNS.BR 200.19.119.99 Record last updated on 11-Apr-2001. Database last updated on 1-May-2001 22:46:49 EDT. ######################################################### and Tracing route to 200.204.201.138 over a maximum of 30 hops 1 362 ms 198 ms 196 ms loopback0.ct7.ts.connix.net [xxx.xx.145.129] 2 593 ms 225 ms 168 ms fastether0-0.hfd-03.rt.thebiz.connix.net [xxx.xx.157.225] 3 664 ms 198 ms 176 ms czcore.cyberzone.net [209.150.0.1] 4 168 ms 200 ms 1024 ms hfd3-cyberzone.pp.connix.net [xxx.xx.159.201] 5 176 ms 174 ms 475 ms 901.Hssi5-0-0.GW1.HAR1.ALTER.NET [137.39.148.21] 6 295 ms 225 ms 170 ms 564.ATM1-0.XR1.NYC1.ALTER.NET [152.63.26.66] 7 367 ms 219 ms 599 ms 195.at-1-0-0.TR1.NYC8.ALTER.NET [152.63.21.26] 8 547 ms 200 ms 201 ms 124.at-6-0-0.TR1.ATL5.ALTER.NET [152.63.0.161] 9 248 ms 198 ms 224 ms 0.so-4-0-0.XR1.ATL5.ALTER.NET [152.63.9.226] 10 819 ms 225 ms 196 ms 193.ATM6-0.GW5.ATL5.ALTER.NET [152.63.82.9] 11 695 ms 375 ms 1249 ms embratel-gw.customer.alter.net [157.130.89.190] 12 350 ms 699 ms 351 ms ebt-P8-3-core01.spo.embratel.net.br [200.230.0.102] 13 371 ms 726 ms 375 ms ebt-P3-0-dist05.spo.embratel.net.br [200.230.0.169] 14 323 ms 574 ms 327 ms telesp-A1-2-32-dist05.spo.embratel.net.br [200.228.240.18] 15 373 ms 350 ms 1225 ms atm13-0-1-br-spo-co-rt1.public.telesp.net.br [200.205.254.37] 16 326 ms 349 ms 351 ms pos-10-3-br-spo-pd-rc1.public.telesp.net.br [200.205.255.162] 17 526 ms 375 ms 774 ms 200.207.0.186 18 * * * Request timed out. 19 686 ms 401 ms 900 ms 200.204.201.138 ######################################################### elicker@email.com wrote:
I never bothered to look /var/log/messages file until now.
Just by curiosity I was browsing the file and I see the excerpt that follows.
It seems that someone at 200.204.201.138 was trying to break in into my computer.
My box is a minimal SuSE 6.4 with KDE2, apache and samba added. No special security measures was taken.
As I know nothing about security I am looking for some advice.
Does this guy at 200.204.201.138 succeed? Was I hacked?
What is "popper"? AFAIK there is nothing in my box with this name.
Thanks a lot for any advice.
Claudio
--------------------------------
/var/log/messages
---big snip---
Apr 29 21:12:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x4 magic=0x28a2c95d] Apr 29 21:12:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x4 magic=0x0] Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: error: cannot execute /usr/sbin/popper: No such file or directory Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x5 magic=0x28a2c95d] Apr 29 21:12:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x5 magic=0x0] Apr 29 21:12:51 yeh1 fingerd[1641]: Client hung up - probable port-scan Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x6 magic=0x28a2c95d] Apr 29 21:13:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x6 magic=0x0] Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x7 magic=0x28a2c95d] Apr 29 21:13:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x7 magic=0x0] Apr 29 21:13:52 yeh1 telnetd[1648]: ttloop: read: Connection reset by peer Apr 29 21:14:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0x8 magic=0x28a2c95d] Apr 29 21:14:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x8 magic=0x0] Apr 29 21:14:24 yeh1 telnetd[1638]: ttloop: peer died: EOF Apr 29 21:14:50 yeh1 pppd[1608]: sent [LCP EchoReq id=0x9 magic=0x28a2c95d] Apr 29 21:14:50 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0x9 magic=0x0] Apr 29 21:15:20 yeh1 pppd[1608]: sent [LCP EchoReq id=0xa magic=0x28a2c95d] Apr 29 21:15:20 yeh1 pppd[1608]: rcvd [LCP EchoRep id=0xa magic=0x0]
---big snip---
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
dizzy73 wrote:
Is the machine on line all the time? If so, then you really should have precautions such as a firewall applying harden suse and as Nick Z suggested edting necessary files (removing un necessary services that would appear running on your machine)
If the machine is not on all the time the risk is greatly minimised (still a good idea to edit the suggested files though) although probably not necessary to run the harden suse as that just really locks down your machine (un necesarillly so)
The machine is a dial-up box. This issue happens last sunday when I was on line, downloading KDE2, almost the whole day. It seems that I left open the front door for too much time... (By the way, KDE2 is pretty cool) So, I will follow your advice and install hardsuse and close some ports.
popper is a mail program that 'pops" (post office protocol) mails
initially it looked suspicious (from brazil) however I see you are from brazil... could this be your isp ;-)
Yes, I'm from Brazil.
I would suggest you try this cat /var/log/messages |grep 200.204.201.138 >suspectip.log and post it to the list my guess is this is your isp
No, my isp is 200.248.something (I don't remember now), and the "attack" came from 200.204.201.138 I did some search and found that this ip is assigned to a *big* phone company located very far from my home town. Maybe it was someone in a dial-up box trying to get some more scalps. []'s Claudio
btw - you have a funky mail address --> @w3.nh.conex.com.br
Oh, this was a mistake in Netscape configuration. I hope it is fixed now.
participants (10)
-
Anders Johansson
-
Chris Brandstetter
-
Claudio E. Elicker
-
dizzy73
-
elicker@email.com
-
Geordon VanTassle
-
James Oakley
-
Jerry Kreps
-
Landy Roman
-
Nick Zentena