[101883] in RedHat Linux List
Re: Hacking attempts
daemon@ATHENA.MIT.EDU (Nikki Cook)
Mon Nov 30 07:47:39 1998
From: Nikki Cook <sunny@mail.suntrix.com>
Reply-To: sunny@mail.suntrix.com
To: redhat-list@redhat.com
Date: Mon, 30 Nov 1998 07:16:25 -0500
Resent-From: redhat-list@redhat.com
Hi Chris.
There is a whole regimen of things to do to both before and after a suspected
breakin. It's not an easy task to recover or setup and maintain security, but
it is necessary for anyone with a dedicated connection and even important for
folks who don't have a 24/7 connect, IMHO. It doesn't feel good having to deal
with this issue AFTER the fact.
http://www.cert.org/nav/recovering.html has an excellent list of things to do
to detect a breakin or if root has been compromised.
With all that I am, I encourage you to apply ALL security patches to your
system immediately.
Install and use exclusively SSH Version 1.2.26 or higher on your system.
Turn off all unnecessary services including all other logins in
/etc/inetd.conf.
If you're running named, use the xfrnet statement for Bind 4.x named.boot or the
options statement for Bind 8.x named.conf to restrict which IPs you will allow
zone transfer.
Go over all your logs to see if there are any "footprints" of a breakin:
messages, xfrlog, smb logs, etc.
And read everything on CERT. Print out the detection and compromise sections
and following their instructions for finding tell-tale files or modes. They
have command line "finds" that will help you do the job of locating ascii files
and hidden files that may have been placed on your system.
As I've stated in previous posts, if "you" are vulnerable, then we all are
vulnerable. It is mucho better to be proactive on this issue. I don't bet,
but if I did, I'd place a small wager that everyone reading this locks their
doors as a preventive measure to keep themselves and belongings safe..... I
leave you all to infer the point of that statement.
Nikki
On Mon, 30 Nov 1998, Chris Dodd wrote:
>Hey all.
>
>Is there a good reference to see if people are [trying] hacking your server?
>Here is a sample from my secure.1 log.
>
>Nov 25 20:38:13 shrouded in.ftpd[12976]: connect from 24.128.6.166
>Nov 25 20:38:14 shrouded in.telnetd[12977]: connect from 24.128.6.166
>Nov 25 20:38:14 shrouded in.telnetd[12978]: connect from 24.128.6.166
>Nov 25 23:46:37 shrouded ipop3d[13125]: connect from 24.113.41.239
>Nov 25 23:46:37 shrouded ipop3d[13125]: error: cannot execute
>/usr/sbin/ipop3d:
>No such file or directory
>Nov 26 02:29:43 shrouded in.telnetd[13264]: connect from 204.254.252.123
>Nov 26 02:30:51 shrouded in.telnetd[13265]: connect from 204.254.252.123
>Nov 26 03:00:24 shrouded ipop3d[13273]: connect from 24.113.36.228
>Nov 26 03:00:24 shrouded ipop3d[13273]: error: cannot execute
>/usr/sbin/ipop3d:
>No such file or directory
>Nov 26 04:21:08 shrouded imapd[13565]: warning: can't get client address:
>Connec
>tion timed out
>Nov 26 04:21:08 shrouded imapd[13565]: connect from unknown
>Nov 26 04:21:08 shrouded imapd[13565]: error: cannot execute
>/usr/sbin/imapd: No
> such file or directory
>Nov 26 12:22:20 shrouded imapd[13943]: warning: can't get client address:
>Connec
>tion reset by peer
>Nov 26 12:22:20 shrouded imapd[13943]: connect from unknown
>Nov 26 12:22:20 shrouded imapd[13943]: error: cannot execute
>/usr/sbin/imapd: No
> such file or directory
>Nov 26 12:51:23 shrouded imapd[13950]: connect from 130.161.37.152
>Nov 26 12:51:23 shrouded imapd[13950]: error: cannot execute
>/usr/sbin/imapd: No
> such file or directory
>
>None of those IPs are mine. If these are attempts, what do you all suggest
>I should do?
>
>Thanks,
> Chris
>
>
>
>--
> PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
> http://www.redhat.com http://archive.redhat.com
> To unsubscribe: mail redhat-list-request@redhat.com with
> "unsubscribe" as the Subject.
--
Nikki Cook
Kerry Webb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SunTrix Com Internet Services
Daytona Beach, Florida
PPP and Shell Accounts (904) 258-5434
WEB Design webdesign@mail.suntrix.com
http://www.suntrix.com
WEBBnet IRC Network
irc.webbnet.org | irc.us.webbnet.org
ftp://ftp.suntrix.com | mail.suntrix.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
