I too have had some sort of connection:
Jul 3 19:56:47 localhost in.ftpd[16221]: connect from 24.112.52.123
Name: cr444296-c.lndn1.on.wave.home.com
Address: 24.112.52.123
What else can I do to track this person down? I need telnet open on my
system for administration reasons. They are running Caldera OpenLinux and
Apache. They too are running telnet
Ray
----- Original Message -----
From: "Kenneth E. Lussier" <[EMAIL PROTECTED]>
To: "Charles Farinella" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, July 06, 2000 8:50 AM
Subject: Re: Worrisome messages
> Charles Farinella wrote:
> >
> > I found the following in my logs, and while I'm not sure exactly what
they
> > mean, I find them somewhat disconcerting. Maybe someone can provide a
> > clue for the clueless.
> >
> > >From /var/log/secure:
> > Jun 12 15:18:55 farinella in.telnetd[1817]: connect from 64.228.199.113
> > and from /var/log/messages:
> > Jun 12 15:19:01 farinella telnetd[1817]: ttloop: peer died: Invalid or
> > incomplete multibyte or wide character
> >
> > nslookup translates this IP address to:
> > HSE-Montreal-ppp139662.sympatico.ca.
> >
> > Should I do something about this? I have since closed off telnet.
>
> Shutting off telnet is a good start..... From the looks of it, someone
> connected to your machine and tried to use a character-based
> buffer-overflow to gain root. I would recommend changing all passwords
> on the system and setting up an ipchains rule to deny that domain. I
> would aslo check the dates on any critical system files to make sure
> that they were not changed. Also, you may want to monitor the network
> traffic on the box to make sure that it isn't being used as a drone in a
> DDoS ring.
>
> Kenny
>
> PS Welcome to the wonderful world of computer forensics ;-)
> --
> Kenny Lussier
> Systems Administrator
> Mission Critical Linux
> ***********************************************************
> Life is a lesson, you learn it at the end
> Reality has become increasingly less accurate
> ***********************************************************
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
