David Rankin wrote: > > Guys, Gals: > > It looks like I may have been sucessfully hacked! I don't know and I > need your help to find out. I have had many fols test my security, but > nowone has gotten in until now. The following appeared in a review of my > syslog: > > Jun 17 23:52:57 Nemesis xinetd[27314]: START: ftp pid=26954 > from=210.180.201.125 > Jun 17 23:52:59 Nemesis xinetd[26954]: USERID: ftp OTHER :root > Jun 17 23:58:35 Nemesis xinetd[27314]: START: telnet pid=26963 > from=127.0.0.1 > Jun 18 00:08:02 Nemesis xinetd[27314]: EXIT: ftp pid=26954 > duration=905(sec) > > The 210 IP is some Korean address from the Asian Pacific Network. > > My first question is does it look like a successful hack? Second > question is, if so, what do I check to find out if they caused any harm, > installed a root kit, etc....? > > As always, thanks for any help you can provide. >
David, say it ain't so. You are *NOT* running a ftp service on your computer connected to the internet, right? Well it looks like you are doing just that. What type of ftp client, and what version is it? Are you running any kind of of file monitoring, such as tripwire? Do you have any programs for detecting rootkits? What is msec reporting about system and file changes? Time to start checking md5sums against original files off the install media. And shut down ftp immediately, if not sooner.... drjung J. Craig Woods UNIX/NT Network/System Administration http://www.trismegistus.net/resume.html Character is built upon the debris of despair --Emerson
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
