Last night I experienced a security breach. I run a small lan with a
ppp dial-up connection that is often left connected. It seems that at
11pm an email containing the output of ifconfig and the contents of
the passwd files was sent by root to [EMAIL PROTECTED] Luckily the mail
was bounced by our ISP (thanks to the lan's domain name not being found
by the ISP's DNS).
Scouring the log files, the only evidence of this breach I can file
is the log of the attempted mail send in /var/log/maillog and the following
suspicious entry in /var/log/messages:
Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
getport(status): request from unauthorized host
This is the only portmap log I've ever had.
Has anyone come across something similar? I've no idea whether this is
the result of a trojan, or whether someone managed to gain access to
my machine (although if they did gain root access, why mail out a passwd
file?). Any thoughts?
Sean.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
