I'm really not the most qualified to be answering this but if I had to take a wild stab at this I would say there is a trojan or something running, either enabling telnetd as needed, or running as telnetd but that would be stupid since if I were going to write a trojan I wouldn't let it log. Is there really even a reason for you to have xinetd running (assuming you are running Linux not sure how everyone else has it...I guess inetd?) there could be some exploit for inetd or xinetd allow a remote attacker to enable the transient service. Also would it hurt to make nobody's shell /bin/false? For that matter any user account that does not really need to login? Aren't most of those accounts for service to run as? I don't think they need shells... Do you have any kind of IDS running? Snort maybe? I would also from an untrusted source try scanning with nessus. A friend of mine suggested to me,(before we got out watch guard box), to use portsentry and iptables and leave something harmless listening on a known port that would get scanned. Anyone who is supposed to interface with this box wouldn't go to this suspect port and if you did portsentry would (I think this is how it works...I should really read up on this stuff before replying...) add entries to iptables blocking that ip/range... I hope this helps... Jon Pastore, President IDE Tech, Inc. (954) 360-0393 Office (954) 428-0442 Fax jpastore@xxxxxxxxxxx -----Original Message----- From: security-discuss-bounce@xxxxxxxxxxxxxxxxx [mailto:security-discuss-bounce@xxxxxxxxxxxxxxxxx] On Behalf Of Philip Mak Sent: Tuesday, April 29, 2003 10:01 PM To: security-discuss@xxxxxxxxxxxxxxxxx Subject: What do these log entries mean? Apr 29 17:37:08 lina telnetd[15972]: Connect from 200.163.59.156 Apr 29 17:37:09 lina telnetd[15972]: ttloop: retrying Apr 29 17:37:09 lina last message repeated 1474 times That was in /var/log/messages. Then at 17:37:10, there was an unauthorized login to the "nobody" account. Also: Apr 29 16:52:54 lina telnetd[5427]: Connect from 200.163.59.156 Apr 29 16:52:58 lina telnetd[5427]: ttloop: retrying Apr 29 16:52:59 lina last message repeated 28989 times And there was an unauthorized login to "nobody" at 16:53:00 too. And I don't have telnet enabled on my server (I tried telnetting to double-check, and got Connection refused as expected), so I'm confused as to why it says "telnetd". Anyone have an idea how he's getting in to my server? ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
