Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Looks Like A Cracker Has Been In
- To: "Tokyo Lignux Users' Group" <tlug@example.com>
- Subject: Looks Like A Cracker Has Been In
- From: Dennis McMurchy <denismcm@example.com>
- Date: Sun, 27 May 2001 08:16:16 +0900 (KST)
- Content-Type: TEXT/PLAIN; charset=US-ASCII
- Reply-To: tlug@example.com
- Resent-From: tlug@example.com
- Resent-Message-ID: <w6VB5B.A.eJH.pmDE7@example.com>
- Resent-Sender: tlug-request@example.com
Well, I was poking around a little trying to solve the broken FTP login problem that I've been blaming on 'ksysv', and I half-stumbled across the /var/log/secure file, where authentication attempts are logged. Imagine my shock and horror to discover that an intruder had logged into my system. I know this must sound awfully naive, but I'm rarely online for more than a few minutes at a time, so I never thought much about the fact that I do run a 'telnet' server (in spite of the known security risks). That particular day, /var/log/messages shows that I was actually online for a whole 107 minutes at a stretch! This is the relevant bit of the /var/log/secure: May 20 14:17:20 tangrending in.telnetd[1252]: connect from 194.102.224.5 May 20 14:17:40 tangrending login: LOGIN ON ttyp3 BY games FROM ikarus.warpnet.ro And here's the relevant bit of /var/log/messages for the same time: May 20 12:58:12 tangrending pppd[1133]: Connect: ppp0 <--> /dev/ttyS1 May 20 12:58:19 tangrending pppd[1133]: Remote message: Login Succeeded May 20 12:58:19 tangrending kernel: PPP BSD Compression module registered May 20 12:58:19 tangrending kernel: PPP Deflate Compression module registered May 20 12:58:19 tangrending pppd[1133]: local IP address 203.216.104.109 May 20 12:58:19 tangrending pppd[1133]: remote IP address 203.216.104.10 May 20 12:58:49 tangrending pppd[1133]: CCP: timeout sending Config-Requests May 20 13:54:02 tangrending PAM_pwdb[1231]: password for (games/12) changed by ((null)/0) May 20 14:17:40 tangrending PAM_pwdb[1253]: (login) session opened for user games by (uid=0) May 20 14:17:59 tangrending PAM_pwdb[1253]: (login) session closed for user games May 20 14:17:59 tangrending inetd[491]: pid 1252: exit status 1 May 20 14:45:23 tangrending pppd[1133]: Terminating on signal 2. May 20 14:45:23 tangrending pppd[1133]: Connection terminated. May 20 14:45:23 tangrending pppd[1133]: Connect time 107.2 minutes. Anyway, it seems pretty damn clear that my system was cracked, and I'm wondering now if this weird authentication failure with FTP is due to something the cracker did to cover his/her tracks or to facilitate later re-entry. It seems quite possible, but I'm a complete novice at this sort of thing. I'm not even sure I can make sense of what I see in the two logfile excerpts given above. All this would be happening, of course, at one of the rare times when I don't have a complete backup of my system. Other than immediately changing my ISP passwords, what else should I be doing? Appreciate any advice you may have. Cheers, Dennis -- Dennis McMurchy, Sointula, B.C. / Tojinmachi, Fukuoka Canada Japan
- Follow-Ups:
- Re: Looks Like A Cracker Has Been In
- From: "Austin K. Kurahone" <austin@example.com>
- Re: Looks Like A Cracker Has Been In
- From: ayako kato <ayakat@example.com>
- Re: Looks Like A Cracker Has Been In
- From: Tobias Diedrich <ranma@example.com>
- Re: Looks Like A Cracker Has Been In
- Prev by Date: Re: Linux and ADSL
- Next by Date: Re: SCSI cdrom boot problem
- Prev by thread: Logitech Cordless mouse/keyboard
- Next by thread: Re: Looks Like A Cracker Has Been In
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |