Charles Farinella wrote:
>
> I found the following in my logs, and while I'm not sure exactly what they
> mean, I find them somewhat disconcerting. Maybe someone can provide a
> clue for the clueless.
>
> >From /var/log/secure:
> Jun 12 15:18:55 farinella in.telnetd[1817]: connect from 64.228.199.113
> and from /var/log/messages:
> Jun 12 15:19:01 farinella telnetd[1817]: ttloop: peer died: Invalid or
> incomplete multibyte or wide character
>
> nslookup translates this IP address to:
> HSE-Montreal-ppp139662.sympatico.ca.
>
> Should I do something about this? I have since closed off telnet.
Shutting off telnet is a good start..... From the looks of it, someone
connected to your machine and tried to use a character-based
buffer-overflow to gain root. I would recommend changing all passwords
on the system and setting up an ipchains rule to deny that domain. I
would aslo check the dates on any critical system files to make sure
that they were not changed. Also, you may want to monitor the network
traffic on the box to make sure that it isn't being used as a drone in a
DDoS ring.
Kenny
PS Welcome to the wonderful world of computer forensics ;-)
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
