At 04:46 PM 5/26/1999 +0200, you wrote:
>hi list,
>have a very obscure discovery :
>tonight at 4:03 I got a logfile called vgetty.modem
>it is of about 89301439 blocks - a very big file.
>Starting at 4.03 in the morning there are a lot of efforts to
>get a connection to our system via the vgetty chat.
>I have the phonenumber and all the efforts like passwords with and
>without crypted passwords.
>
>Is it possible to get a connection via vgetty or not ?
>If not, what has happen ? Are there other possibilities in Linux,
>so that a process can get out of control ? Maybe a bad script ?
>
>We have a connection to the internet via an Ascend Router. 5 Computers
>have a direct connection through a HUB. Only one computer has this
>vgetty.mode - file. But exactly this computer has had no running vgetty
>before and never had a modem installed.
>
>What I have :
>Mandrake-(redhat 5.2) Linux with kernel 2.0.36; 5 PC's running linux, 2
>PC's running windows, one apple, one Sun Sparc 10 with RH 5.1 and one
>SGI IRIS at this network-tree. One linux-pc acts as a gateway for the
>second network-tree. But only has one direction - to the Server, not
>back.
>
>I'll send a piece of code from that vgetty.modem-file, so you can see,
>what's happen.
>
>If that is not a hacker, which possibilities I have to resolve that
>problem ? What can it be otherwise ?
>
>Your help is very appreciated and urgently needed !!!
>
>bye, hans
>
Looking at the log file entries, it looks like you have a
USR Courier/Sportster 56k modem connected. (The port is the modem-file
part of vgetty.modem-file.) I would check /etc/inittab to see if you
have an entry starting vgetty. Something like:
D1:2345:respawn:/sbin/vgetty ttyS1
Also try ps aux | grep vgetty to see if vgetty is being run as a user.
As for someone getting into your system using vgetty, it depends on the
settings in the /etc/mgetty+sendfax/voice.conf file. If data connections
are allowed, then anyone with shell access can log in over the phone.
(mgetty allows this also!) The only exception to this is the root
account. Root usually isn't allowed to log in over the phone line,
but that can be changes by editing /etc/securetty and adding the
modem port to the list. Also note that vgetty will also act as an
answering machine, and will also receive FAX messages if set up for
it and your modem is class 2 fax capable.
It looks more like someone is playing with vgetty then that you got
hacked. Your best corse of action if you don't need the ability to
log into the system over the phone, and don't need the voice and
fax receive functions, is to remove the assorted mgetty RPMs.
rpm -e mgetty-voice Removes vgetty and voice utilities.
rpm -e mgetty-sendfax Removes the fax utilities.
rpm -e mgetty Removes the modem getty program.
(Modem logins.)
I hope this gives you a better idea of what is going on...
Mikkel
---
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
