Is someone trying to crack into to my system? I would prefer to think not, but I have a sinking feeling this is not the case (would prefer to be paranoid rather than a zombie). from log file: 2550:Aug 17:53:22 Crusher-1 lpd[955]: connection from root@211.196.186.152 2551:Aug 17:53:24 Crusher-1 in.telnetd[6650]: connect from root@211.196.186.152 (211.196.186.152) 2552:Aug 17:53:24 Crusher-1 in.telnetd[6650]: cannot execute /usr/bin/in.telnetd: no such file or directory 2551:Aug 17:59:00 Crusher-1 -- MARK -- 2551:Aug 17:59:00 Crusher-1 -- MARK -- Trace route produces end source as follows, unsure as to domain/location of origin: 211.196.186.152 domain@ns.kornet.net 413 ms 424 ms 403 ms 2554:Aug 17 16:59:12 Crusher-1 lpd[955]: connection from root@202.106.134.28 2555:Aug 17 16:59:13 Crusher-1 in.telnetd[6550]: connect from root@202.103.134.28 (202.103.134.28) 2555:Aug 17 16:59:13 Crusher-1 in.telnetd[6550]: error: cannot execute /usr/bin/in.telnetd: no such file or directory Trace route produces end sources as being in China 202.106.134.28 root@ns.bta.net.cn 380 ms 391 ms 411 ms So, since I have no telnet to exploit I am assuming that this attempt was unsuccessful? I am a novice but according to my understanding (and I could be completely in error) someone is trying to gain access to my system via telnet? Any comments or information would be greatly appreciated. TIA, Curtis
On Sat, 17 Aug 2002 21:01:38 -0500
Curtis Rey
Is someone trying to crack into to my system? I would prefer to think not, but I have a sinking feeling this is not the case (would prefer to be paranoid rather than a zombie).
from log file:
2550:Aug 17:53:22 Crusher-1 lpd[955]: connection from root@211.196.186.152 2551:Aug 17:53:24 Crusher-1 in.telnetd[6650]: connect from root@211.196.186.152 (211.196.186.152) 2552:Aug 17:53:24 Crusher-1 in.telnetd[6650]: cannot execute /usr/bin/in.telnetd: no such file or directory 2551:Aug 17:59:00 Crusher-1 -- MARK -- 2551:Aug 17:59:00 Crusher-1 -- MARK --
Any comments or information would be greatly appreciated.
My thoughts? Sounds like the guy is port scanning you. Drop telnet and lpd requests at your firewall. Remove telnet and 25 from FW_SERVICES_EXT_TCP in your firewall2.rc.config. Do the same for lpd unless you need network printing. Comment out the line for telnet in your /etc/inetd.conf. Put 211.196.186.152 in your /etc/hosts.deny file. Use ssh for all outside connections. -- use Perl; #powerful programmable prestidigitation
participants (2)
-
Curtis Rey
-
zentara