RE: What do these log entries mean?

From: Jon Pastore (jpastore_at_idetech.net)
Date: 04/30/03

  • Next message: Zac Amsler: "RE: What do these log entries mean?" 
    To: <security-discuss@linuxsecurity.com>
Date: Wed, 30 Apr 2003 11:14:49 -0400

    I'm really not the most qualified to be answering this but if I had to
    take a wild stab at this I would say there is a trojan or something
    running, either enabling telnetd as needed, or running as telnetd but
    that would be stupid since if I were going to write a trojan I wouldn't
    let it log. Is there really even a reason for you to have xinetd
    running (assuming you are running Linux not sure how everyone else has
    it...I guess inetd?) there could be some exploit for inetd or xinetd
    allow a remote attacker to enable the transient service.

    Also would it hurt to make nobody's shell /bin/false? For that matter
    any user account that does not really need to login? Aren't most of
    those accounts for service to run as? I don't think they need shells...

    Do you have any kind of IDS running? Snort maybe? I would also from an
    untrusted source try scanning with nessus. A friend of mine suggested to
    me,(before we got out watch guard box), to use portsentry and iptables
    and leave something harmless listening on a known port that would get
    scanned. Anyone who is supposed to interface with this box wouldn't go
    to this suspect port and if you did portsentry would (I think this is
    how it works...I should really read up on this stuff before replying...)
    add entries to iptables blocking that ip/range...

    I hope this helps...

    Jon Pastore, President
    IDE Tech, Inc.
    (954) 360-0393 Office
    (954) 428-0442 Fax
    jpastore@idetech.net

    -----Original Message-----
    From: security-discuss-bounce@linuxsecurity.com
    [mailto:security-discuss-bounce@linuxsecurity.com] On Behalf Of Philip
    Mak
    Sent: Tuesday, April 29, 2003 10:01 PM
    To: security-discuss@linuxsecurity.com
    Subject: What do these log entries mean?

    Apr 29 17:37:08 lina telnetd[15972]: Connect from 200.163.59.156 Apr 29
    17:37:09 lina telnetd[15972]: ttloop: retrying Apr 29 17:37:09 lina last
    message repeated 1474 times

    That was in /var/log/messages. Then at 17:37:10, there was an
    unauthorized login to the "nobody" account.

    Also:

    Apr 29 16:52:54 lina telnetd[5427]: Connect from 200.163.59.156 Apr 29
    16:52:58 lina telnetd[5427]: ttloop: retrying Apr 29 16:52:59 lina last
    message repeated 28989 times

    And there was an unauthorized login to "nobody" at 16:53:00 too.

    And I don't have telnet enabled on my server (I tried telnetting to
    double-check, and got Connection refused as expected), so I'm confused
    as to why it says "telnetd". Anyone have an idea how he's getting in to
    my server?
    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.

    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.

  • Next message: Zac Amsler: "RE: What do these log entries mean?"