I agree, with running portsentury, but be very careful when setting it up. Make sure you can get back into ur machine. I have has issues with this in older versions of portsentury. I had to add ip's into the host.allow file, and make sure they were setup correctly in the config file for portsentury. Also, I would suggest that u do some research on the person scanning you, and send the admin of the originating box an e-mail. This usually deters would be hackers. Have a good one, Zac -- ----------------------------------------- Zac Amsler WNOC.COM Direct: (612) 605-5622 http://www.wnoc.com ***************************************** Free Long Diatance to ANYWHERE in the Lower 48 States. No Contract........$39.99/Month......... http://www.vonage.com/index.php?refer_id=05002a34 Check it out...... ***************************************** On Wed, 2003-04-30 at 10:14, Jon Pastore wrote: > I'm really not the most qualified to be answering this but if I had to > take a wild stab at this I would say there is a trojan or something > running, either enabling telnetd as needed, or running as telnetd but > that would be stupid since if I were going to write a trojan I wouldn't > let it log. Is there really even a reason for you to have xinetd > running (assuming you are running Linux not sure how everyone else has > it...I guess inetd?) there could be some exploit for inetd or xinetd > allow a remote attacker to enable the transient service. > > Also would it hurt to make nobody's shell /bin/false? For that matter > any user account that does not really need to login? Aren't most of > those accounts for service to run as? I don't think they need shells... > > Do you have any kind of IDS running? Snort maybe? I would also from an > untrusted source try scanning with nessus. A friend of mine suggested to > me,(before we got out watch guard box), to use portsentry and iptables > and leave something harmless listening on a known port that would get > scanned. Anyone who is supposed to interface with this box wouldn't go > to this suspect port and if you did portsentry would (I think this is > how it works...I should really read up on this stuff before replying...) > add entries to iptables blocking that ip/range... > > I hope this helps... > > > Jon Pastore, President > IDE Tech, Inc. > (954) 360-0393 Office > (954) 428-0442 Fax > jpastore@xxxxxxxxxxx > > > -----Original Message----- > From: security-discuss-bounce@xxxxxxxxxxxxxxxxx > [mailto:security-discuss-bounce@xxxxxxxxxxxxxxxxx] On Behalf Of Philip > Mak > Sent: Tuesday, April 29, 2003 10:01 PM > To: security-discuss@xxxxxxxxxxxxxxxxx > Subject: What do these log entries mean? > > > Apr 29 17:37:08 lina telnetd[15972]: Connect from 200.163.59.156 Apr 29 > 17:37:09 lina telnetd[15972]: ttloop: retrying Apr 29 17:37:09 lina last > message repeated 1474 times > > That was in /var/log/messages. Then at 17:37:10, there was an > unauthorized login to the "nobody" account. > > Also: > > Apr 29 16:52:54 lina telnetd[5427]: Connect from 200.163.59.156 Apr 29 > 16:52:58 lina telnetd[5427]: ttloop: retrying Apr 29 16:52:59 lina last > message repeated 28989 times > > And there was an unauthorized login to "nobody" at 16:53:00 too. > > And I don't have telnet enabled on my server (I tried telnetting to > double-check, and got Connection refused as expected), so I'm confused > as to why it says "telnetd". Anyone have an idea how he's getting in to > my server? > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx > with "unsubscribe" in the subject of the message. > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx > with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
