Among other things: download, compile, and run lsof. look for any TCP or UDP ports open. Also look for any telnetd programs running on a different port. (22 is just the default, after all). And of course, run nmap on your machine, both from the machine, and from the outside. Just to see what is open and what is not. Just my $.02 >-----Original Message----- >From: security-discuss-bounce@xxxxxxxxxxxxxxxxx >[mailto:security-discuss-bounce@xxxxxxxxxxxxxxxxx]On Behalf Of Philip >Mak >Sent: Tuesday, April 29, 2003 7:01 PM >To: security-discuss@xxxxxxxxxxxxxxxxx >Subject: What do these log entries mean? > > >Apr 29 17:37:08 lina telnetd[15972]: Connect from 200.163.59.156 >Apr 29 17:37:09 lina telnetd[15972]: ttloop: retrying >Apr 29 17:37:09 lina last message repeated 1474 times > >That was in /var/log/messages. Then at 17:37:10, there was an >unauthorized login to the "nobody" account. > >Also: > >Apr 29 16:52:54 lina telnetd[5427]: Connect from 200.163.59.156 >Apr 29 16:52:58 lina telnetd[5427]: ttloop: retrying >Apr 29 16:52:59 lina last message repeated 28989 times > >And there was an unauthorized login to "nobody" at 16:53:00 too. > >And I don't have telnet enabled on my server (I tried telnetting to >double-check, and got Connection refused as expected), so I'm confused >as to why it says "telnetd". Anyone have an idea how he's getting in >to my server? >------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx > with "unsubscribe" in the subject of the message. > > >--- >Incoming mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.476 / Virus Database: 273 - Release Date: 4/24/2003 > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.476 / Virus Database: 273 - Release Date: 4/24/2003 ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@xxxxxxxxxxxxxxxxx with "unsubscribe" in the subject of the message.
