On Thu, 27 Jun 2002, J. Craig Woods wrote: > David Rankin wrote: > > > > Guys, Gals: > > > > It looks like I may have been sucessfully hacked! I don't know and I > > need your help to find out. I have had many fols test my security, but > > nowone has gotten in until now. The following appeared in a review of my > > syslog: > > > > Jun 17 23:52:57 Nemesis xinetd[27314]: START: ftp pid=26954 > > from=210.180.201.125 > > Jun 17 23:52:59 Nemesis xinetd[26954]: USERID: ftp OTHER :root > > Jun 17 23:58:35 Nemesis xinetd[27314]: START: telnet pid=26963 > > from=127.0.0.1 > > Jun 18 00:08:02 Nemesis xinetd[27314]: EXIT: ftp pid=26954 > > duration=905(sec) > > > > The 210 IP is some Korean address from the Asian Pacific Network. > > > > My first question is does it look like a successful hack? Second > > question is, if so, what do I check to find out if they caused any harm, > > installed a root kit, etc....? > > > > As always, thanks for any help you can provide. > > > > David, say it ain't so. You are *NOT* running a ftp service on your > computer connected to the internet, right? Well it looks like you are > doing just that. What type of ftp client, and what version is it? Are > you running any kind of of file monitoring, such as tripwire? Do you > have any programs for detecting rootkits? What is msec reporting about > system and file changes? Time to start checking md5sums against original > files off the install media. And shut down ftp immediately, if not > sooner.... > > drjung
I don't know doc...from the look of that log entry it might be just as easy to simply reload the machine. and if you must run an ftp service do like the rest of us do. Use proftpd and set a password for the darn thing so they can't just walk in like they own the place. I've been checkin the logs every morning and writing the ISP's of those miserable theivin motherless morons that just CAN'T stay the hell outa someone else's backyard to save their miserable lives. one of THESE days! -- daRmaTTeR R L U: #186492 When ever people annoy me I remember, "Vengence is mine saith the Lord." My prayer is, "...here am I Lord...send me!"
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
