well... to me (and as others have surmised) looks like you were simply portscanned, not a problem. The list below gives you the services to be disabled in inetd.conf. If you look at the time frames they are all close and sequential. So now you know what to look for. you want to make your box more secure by disabling services, be sure to have a good password for root and possibly setup a fire wall. I think Jerries idea of the chkrootkit is good (I know he wouldnt steer you wrong) but Ive never used it. I think using harden suse is overkill for a dialup box. You have to figgure its going to take someone "some time" to do what they need to do and if you're on a dialup you get a new ip everytime you connect (making it difficult) to revisit. you could also try the port sentry or even do a script that greps the message file and mails you when a -connect- is make. If you really want to test your security hang out on the linux chat rooms <grin> My opinion is, its all really in fun and people just experiminting I mean on a dialup box what can someone else do ? trash your files? Put your machine in Zombie mode? On a single user system, you unplug the machine from the net and reinstall the bin files from cd. People are just testing the waters. Imagine the rush if the guy got a prompt on a remote box ;-) I dont think you have anything to worry about, but a lesson for all of us on some tools, what to look for and how to respond Oh... another suggestion is to install nmap from the suse cd and learn how to use it, you can scan your own box. have fun rob "Claudio E. Elicker" wrote:
dizzy73 wrote:
post the pertinant info from the log file
cat /var/log/messages | grep 200.204.201.138 > suspectip.log
It's here:
Apr 29 21:12:31 yeh1 in.telnetd[1638]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:34 yeh1 popper[1640]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:37 yeh1 in.ftpd[1644]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:38 yeh1 in.fingerd[1641]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 in.rshd[1639]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:12:41 yeh1 rshd[1639]: Connection from 200.204.201.138 on illegal port Apr 29 21:12:57 yeh1 in.rlogind[1647]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:13:42 yeh1 in.telnetd[1648]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:37 yeh1 in.rlogind[1716]: connect from 200.204.201.138 (200.204.201.138) Apr 29 21:32:42 yeh1 rlogind[1716]: Connection from 200.204.201.138 on illegal port
Except for the last 2 lines, this was already included in my original posting.
TIA Claudio
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com