RE: What do these log entries mean?

From: Zac Amsler (zamsler_at_cshsi.com)
Date: 04/30/03

  • Next message: lucasjr_at_hotlink.com.br: "Re: block msn"
    To: security-discuss@linuxsecurity.com
    Date: 30 Apr 2003 09:25:11 -0500
    
    

    I agree, with running portsentury, but be very careful when setting it
    up. Make sure you can get back into ur machine. I have has issues with
    this in older versions of portsentury. I had to add ip's into the
    host.allow file, and make sure they were setup correctly in the config
    file for portsentury.

    Also, I would suggest that u do some research on the person scanning
    you, and send the admin of the originating box an e-mail. This usually
    deters would be hackers.

    Have a good one,

    Zac

    -- 
    -----------------------------------------
    Zac Amsler
    WNOC.COM
    Direct: (612) 605-5622
    http://www.wnoc.com
     
    *****************************************
    Free Long Diatance to ANYWHERE in the Lower 48 States.
    No Contract........$39.99/Month.........
    http://www.vonage.com/index.php?refer_id=05002a34
    Check it out......
    *****************************************
    On Wed, 2003-04-30 at 10:14, Jon Pastore wrote:
    > I'm really not the most qualified to be answering this but if I had to
    > take a wild stab at this I would say there is a trojan or something
    > running, either enabling telnetd as needed, or running as telnetd but
    > that would be stupid since if I were going to write a trojan I wouldn't
    > let it log.  Is there really even a reason for you to have xinetd
    > running (assuming you are running Linux not sure how everyone else has
    > it...I guess inetd?) there could be some exploit for inetd or xinetd
    > allow a remote attacker to enable the transient service.
    > 
    > Also would it hurt to make nobody's shell /bin/false? For that matter
    > any user account that does not really need to login?  Aren't most of
    > those accounts for service to run as?  I don't think they need shells...
    > 
    > Do you have any kind of IDS running? Snort maybe?  I would also from an
    > untrusted source try scanning with nessus. A friend of mine suggested to
    > me,(before we got out watch guard box), to use portsentry and iptables
    > and leave something harmless listening on a known port that would get
    > scanned.  Anyone who is supposed to interface with this box wouldn't go
    > to this suspect port and if you did portsentry would (I think this is
    > how it works...I should really read up on this stuff before replying...)
    > add entries to iptables blocking that ip/range...
    > 
    > I hope this helps...
    > 
    > 
    > Jon Pastore, President
    > IDE Tech, Inc.
    > (954) 360-0393 Office
    > (954) 428-0442 Fax
    > jpastore@idetech.net
    > 
    > 
    > -----Original Message-----
    > From: security-discuss-bounce@linuxsecurity.com
    > [mailto:security-discuss-bounce@linuxsecurity.com] On Behalf Of Philip
    > Mak
    > Sent: Tuesday, April 29, 2003 10:01 PM
    > To: security-discuss@linuxsecurity.com
    > Subject: What do these log entries mean?
    > 
    > 
    > Apr 29 17:37:08 lina telnetd[15972]: Connect from 200.163.59.156 Apr 29
    > 17:37:09 lina telnetd[15972]: ttloop: retrying Apr 29 17:37:09 lina last
    > message repeated 1474 times
    > 
    > That was in /var/log/messages. Then at 17:37:10, there was an
    > unauthorized login to the "nobody" account.
    > 
    > Also:
    > 
    > Apr 29 16:52:54 lina telnetd[5427]: Connect from 200.163.59.156 Apr 29
    > 16:52:58 lina telnetd[5427]: ttloop: retrying Apr 29 16:52:59 lina last
    > message repeated 28989 times
    > 
    > And there was an unauthorized login to "nobody" at 16:53:00 too.
    > 
    > And I don't have telnet enabled on my server (I tried telnetting to
    > double-check, and got Connection refused as expected), so I'm confused
    > as to why it says "telnetd". Anyone have an idea how he's getting in to
    > my server?
    > ------------------------------------------------------------------------
    >      To unsubscribe email security-discuss-request@linuxsecurity.com
    >          with "unsubscribe" in the subject of the message.
    > 
    > ------------------------------------------------------------------------
    >      To unsubscribe email security-discuss-request@linuxsecurity.com
    >          with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
         To unsubscribe email security-discuss-request@linuxsecurity.com
             with "unsubscribe" in the subject of the message.
    

  • Next message: lucasjr_at_hotlink.com.br: "Re: block msn"