post the pertinant info from the log file rob "Claudio E. Elicker" wrote:

James Oakley wrote:

...

- - - type 'rpm -V psutils' and pray that it outputs nothing. If it spits filenames at you, the box probably has a rootkit installed and you should immediately back up your data and reinstall

without a doubt he was trying to conect , run last to see if you see strange names On Wed, 02 May 2001 23:03:54 -0300 "Claudio E. Elicker" wrote:

dizzy73 wrote:

...

post the pertinant info from the log file

cat /var/log/messages | grep 200.204.201.138 > suspectip.log

It's here:

Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port

Except for the last 2 lines, this was already included in my original posting.

TIA Claudio

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com

-- SuSe 7.0 Linux 2.4.2 i686 Wed May 2 22:05:00 EDT 2001

well... to me (and as others have surmised) looks like you were simply portscanned, not a problem. The list below gives you the services to be disabled in inetd.conf. If you look at the time frames they are all close and sequential. So now you know what to look for. you want to make your box more secure by disabling services, be sure to have a good password for root and possibly setup a fire wall. I think Jerries idea of the chkrootkit is good (I know he wouldnt steer you wrong) but Ive never used it. I think using harden suse is overkill for a dialup box. You have to figgure its going to take someone "some time" to do what they need to do and if you're on a dialup you get a new ip everytime you connect (making it difficult) to revisit. you could also try the port sentry or even do a script that greps the message file and mails you when a -connect- is make. If you really want to test your security hang out on the linux chat rooms <grin> My opinion is, its all really in fun and people just experiminting I mean on a dialup box what can someone else do ? trash your files? Put your machine in Zombie mode? On a single user system, you unplug the machine from the net and reinstall the bin files from cd. People are just testing the waters. Imagine the rush if the guy got a prompt on a remote box ;-) I dont think you have anything to worry about, but a lesson for all of us on some tools, what to look for and how to respond Oh... another suggestion is to install nmap from the suse cd and learn how to use it, you can scan your own box. have fun rob "Claudio E. Elicker" wrote:

dizzy73 wrote:

...

post the pertinant info from the log file

cat /var/log/messages | grep 200.204.201.138 > suspectip.log

It's here:

Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port

Except for the last 2 lines, this was already included in my original posting.

TIA Claudio

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 2, 2001 09:03 pm, Claudio E. Elicker wrote:

elicker@yeh1:~ > rpm -V psutils package psutils is not installed OK, psutils is not installed yet.

Whoops, that should have been rpm -V ps.

elicker@yeh1:~ > rpm -V nkitb ..?..... /bin/ping6 ..?..... /usr/sbin/rpc.rstatd ..?..... /usr/sbin/timedc Ouch!!! Is this right?

I think it's normal. The important thing is that it passed the MD5 sum check. On mine, timedc has a question mark. The only difference I can see is in the mtime. Maybe it's returning a '?' because of a subtle reiserfs bug? Either way, I'm not worried about it. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE68WnD+FOexA3koIgRAulOAKCadtQ30teiqbaM9U8/s25MIb/DxACfc0LC rTsipV0PZsBaFr2jT/AtM0w= =QFwu -----END PGP SIGNATURE-----

dizzy73 wrote:

Is the machine on line all the time? If so, then you really should have precautions such as a firewall applying harden suse and as Nick Z suggested edting necessary files (removing un necessary services that would appear running on your machine)

If the machine is not on all the time the risk is greatly minimised (still a good idea to edit the suggested files though) although probably not necessary to run the harden suse as that just really locks down your machine (un necesarillly so)

The machine is a dial-up box. This issue happens last sunday when I was on line, downloading KDE2, almost the whole day. It seems that I left open the front door for too much time... (By the way, KDE2 is pretty cool) So, I will follow your advice and install hardsuse and close some ports.

popper is a mail program that 'pops" (post office protocol) mails

initially it looked suspicious (from brazil) however I see you are from brazil... could this be your isp ;-)

Yes, I'm from Brazil.

I would suggest you try this cat /var/log/messages |grep 200.204.201.138 >suspectip.log and post it to the list my guess is this is your isp

No, my isp is 200.248.something (I don't remember now), and the "attack" came from 200.204.201.138 I did some search and found that this ip is assigned to a *big* phone company located very far from my home town. Maybe it was someone in a dial-up box trying to get some more scalps. []'s Claudio

btw - you have a funky mail address --> @w3.nh.conex.com.br

Oh, this was a mistake in Netscape configuration. I hope it is fixed now.