Scott Kindley wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Aug 29 04:21:12 ns1 in.telnetd[11975]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11977]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11976]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11978]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11979]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11980]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11981]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11982]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11983]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11984]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11988]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11987]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11985]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11986]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11989]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11990]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11991]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11992]: refused connect from
> 63.145.81.31
> Aug 29 04:21:15 ns1 in.telnetd[11993]: refused connect from
> 63.145.81.31
> Aug 29 04:21:15 ns1 imapd[11994]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 imapd[11995]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 imapd[11996]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 imapd[11997]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[11998]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[11999]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12000]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12001]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12002]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12003]: refused connect from
> 63.145.81.31
> Aug 29 04:21:19 ns1 in.telnetd[12004]: refused connect from
> 63.145.81.31
>
> Not one of my IP's. Don't know anybody using any IP on that network.
> Any suggestions o how to handle this? It's my first attempt at being
> hacked. I have him blocked with wrappers after a telnet attempt a few
> days ago that I thought looked funny. So for now I think I'm ok. I have
> checked me logs and verified nothing has changed on the system. So
> entry wasn't made. Still the attempt is bugging me.
>
> - -----
> Scott Kindley
>
It's coming from a qwest customer, probably a dsl kiddie. Complain to
qwest, not that they're very responsive. It may be that the ip this
intrusion came from is a hacked box.
You should block all ip's with tcp wrappers that don't have a need to
connect on any particular service, and should turn off all services that
you don't actually need with /etc/inetd.conf
You might also install portsentry if you don't have it yet. That will
give you more log entry on port scans, which is likely how this clown
found you in the first place. Use tripwire to detect when a break-in
has actually occurred. Other then that, get used to this stuff, because
it isn't going away.
Fred
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
