Hi Suresh,
Checked all the log files. Enclosed below some entries from that file:
---------------Entries from messages.1 log file-------------------
Jun 2 13:21:24 mail identd[21170]: Connection from 207.3.92.230
Jun 2 13:21:24 mail identd[21170]: from: 207.3.92.230 ( 207.3.92.230 ) for: 111, 111
Jun 2 13:21:25 mail identd[21170]: Returned: 111 , 111 : NO-USER
Jun 2 13:21:25 mail identd[21186]: Connection from 207.3.92.230
Jun 2 13:21:25 mail identd[21186]: from: 207.3.92.230 ( 207.3.92.230 ) for: 111, 111
Jun 2 13:21:25 mail identd[21186]: Returned: 111 , 111 : NO-USER
Jun 2 13:21:26 mail identd[21182]: Connection from 207.3.92.230
Jun 2 13:21:26 mail identd[21182]: from: 207.3.92.230 ( 207.3.92.230 ) for: 111, 111
Jun 2 13:21:26 mail identd[21183]: Connection from 207.3.92.230
Jun 2 13:21:26 mail identd[21183]: from: 207.3.92.230 ( 207.3.92.230 ) for: 111, 111
Jun 2 13:21:26 mail identd[21183]: Returned: 111 , 111 : NO-USER
Jun 2 13:21:26 mail identd[21182]: Returned: 111 , 111 : NO-USER
Jun 2 13:21:27 mail identd[21187]: Connection from 207.3.92.230
Jun 2 13:21:27 mail identd[21187]: from: 207.3.92.230 ( 207.3.92.230 ) for: 2474, 111
Jun 2 13:21:28 mail identd[21188]: Connection from 207.3.92.230
Jun 2 13:21:28 mail identd[21188]: from: 207.3.92.230 ( 207.3.92.230 ) for: 995, 111
Jun 2 13:23:52 mail identd[21320]: Connection from redlider.com.UY
Jun 2 13:23:52 mail identd[21320]: from: 207.3.120.254 ( redlider.com.UY ) for: 111,
111
Jun 2 13:23:52 mail identd[21320]: Returned: 111 , 111 : NO-USER
Jun 2 13:23:53 mail identd[21321]: Connection from d155.redlider.com.UY
Jun 2 13:23:53 mail identd[21321]: from: 207.3.120.155 ( d155.redlider.com.UY ) for:
111, 111
Jun 2 13:23:54 mail identd[21321]: Returned: 111 , 111 : NO-USER
Jun 2 13:39:40 mail named[364]: Cleaned cache of 0 RRs
Jun 2 13:39:40 mail named[364]: USAGE 959933380 959094579 CPU=0.01u/0s CHILDCPU=0u/0s
Jun 2 13:39:40 mail named[364]: NSTATS 959933380 959094579
Jun 2 13:39:40 mail named[364]: XSTATS 959933380 959094579 RR=1 RNXD=0 RFwdR=0
RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=1 SAns=0 SFwdQ=0 SDupQ=1
SErr=0 RQ=0 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0
Jun 2 13:57:10 mail kernel: 207.5.2.50 sent an invalid ICMP error to a broadcast.
Jun 2 14:01:00 mail PAM_pwdb[21442]: (su) session opened for user news by (uid=0)
Jun 2 14:01:01 mail PAM_pwdb[21442]: (su) session closed for user news
Jun 2 14:39:40 mail named[364]: Cleaned cache of 0 RRs
Jun 2 14:39:40 mail named[364]: USAGE 959936980 959094579 CPU=0.01u/0s CHILDCPU=0u/0s
Jun 2 14:39:40 mail named[364]: NSTATS 959936980 959094579
Jun 2 14:39:40 mail named[364]: XSTATS 959936980 959094579 RR=1 RNXD=0 RFwdR=0
RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=1 SAns=0 SFwdQ=0 SDupQ=1
SErr=0 RQ=0 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0
Jun 2 15:01:00 mail PAM_pwdb[22396]: (su) session opened for user news by (uid=0)
Jun 2 15:01:01 mail PAM_pwdb[22396]: (su) session closed for user news
Jun 2 15:13:21 mail identd[22855]: Connection from
three.licks.to.the.center.of.your.pussypop.org
Jun 2 15:13:21 mail identd[22855]: from: 207.8.129.60 (
three.licks.to.the.center.of.your.pussypop.org ) for: 111, 111
Jun 2 15:13:21 mail identd[22855]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:26 mail identd[22885]: Connection from
lives.in.a.box.under.the.sign.for.omnio.COM
Jun 2 15:13:26 mail identd[22885]: from: 207.8.129.61 (
lives.in.a.box.under.the.sign.for.omnio.COM ) for: 111, 111
Jun 2 15:13:26 mail identd[22885]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:30 mail identd[22914]: Connection from cant.seem.to.spell.omnio.COM
Jun 2 15:13:30 mail identd[22914]: from: 207.8.129.62 ( cant.seem.to.spell.omnio.COM
) for: 111, 111
Jun 2 15:13:30 mail identd[22914]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:34 mail identd[22929]: Connection from
mastered.the.kamma.sutra.at.omnio.COM
Jun 2 15:13:34 mail identd[22929]: from: 207.8.129.63 (
mastered.the.kamma.sutra.at.omnio.COM ) for: 111, 111
Jun 2 15:13:34 mail identd[22929]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:38 mail identd[22956]: Connection from
boinked.your.girlfriend.3times.intheback.ofhis.omnio.COM
Jun 2 15:13:38 mail identd[22956]: from: 207.8.129.64 (
boinked.your.girlfriend.3times.intheback.ofhis.omnio.COM ) for: 111, 111
Jun 2 15:13:39 mail identd[22956]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:44 mail identd[22976]: Connection from
polished.off.a.30pack.and.passedout.at.omnio.COM
Jun 2 15:13:44 mail identd[22976]: from: 207.8.129.65 (
polished.off.a.30pack.and.passedout.at.omnio.COM ) for: 111, 111
Jun 2 15:13:44 mail identd[22976]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:48 mail identd[22977]: Connection from
www.slash.dot.comma.hyphen.dash.blah.omnio.COM
Jun 2 15:13:48 mail identd[22977]: from: 207.8.129.66 (
www.slash.dot.comma.hyphen.dash.blah.omnio.COM ) for: 111, 111
Jun 2 15:13:48 mail identd[22977]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:53 mail identd[22978]: Connection from
did.a.fat.line.of.K.and.fell.out.of.his.chair.at.omnio.COM
Jun 2 15:13:53 mail identd[22978]: from: 207.8.129.67 (
did.a.fat.line.of.K.and.fell.out.of.his.chair.at.omnio.COM ) for: 111, 111
Jun 2 15:13:53 mail identd[22978]: Returned: 111 , 111 : NO-USER
Jun 2 15:13:59 mail identd[23008]: Connection from started.a.fight-club.at.omnio.COM
Jun 2 15:13:59 mail identd[23008]: from: 207.8.129.68 (
started.a.fight-club.at.omnio.COM ) for: 111, 111
Jun 2 15:13:59 mail identd[23008]: Returned: 111 , 111 : NO-USER
Jun 2 15:14:04 mail identd[23013]: Connection from what.the.hell.is.moonsee.COM
Jun 2 15:14:04 mail identd[23013]: from: 207.8.129.69 ( what.the.hell.is.moonsee.COM
) for: 111, 111
Jun 2 15:14:05 mail identd[23013]: Returned: 111 , 111 : NO-USER
Jun 2 15:14:09 mail identd[23051]: Connection from 207.8.129.70
Jun 2 15:14:09 mail identd[23051]: from: 207.8.129.70 ( 207.8.129.70 ) for: 111, 111
Jun 2 15:14:10 mail identd[23051]: Returned: 111 , 111 : NO-USER
Jun 2 15:14:14 mail identd[23088]: Connection from www.sandracamomile.COM
Jun 2 15:14:14 mail identd[23088]: from: 207.8.129.71 ( www.sandracamomile.COM ) for:
111, 111
Jun 2 15:14:14 mail identd[23088]: Returned: 111 , 111 : NO-USER
Jun 2 15:14:17 mail identd[23127]: Connection from 207.8.129.75
Jun 2 15:14:17 mail identd[23127]: from: 207.8.129.75 ( 207.8.129.75 ) for: 111, 111
Jun 2 15:14:17 mail identd[23127]: Returned: 111 , 111 : NO-USER
Jun 2 15:14:24 mail identd[23154]: Connection from troll.omnio.COM
Jun 2 15:14:24 mail identd[23154]: from: 207.106.6.226 ( troll.omnio.COM ) for: 111,
111
Jun 2 15:14:25 mail identd[23154]: Returned: 111 , 111 : NO-USER
Jun 2 15:39:40 mail named[364]: Cleaned cache of 0 RRs
-----------Entries from messages log file------------------
Jun 6 03:45:53 mail ftpd[7612]: ANONYMOUS FTP LOGIN FROM
1Cust107.tnt4.manassas.va.da.UU.NET [63.26.198.107], [EMAIL PROTECTED]
Jun 6 03:46:40 mail ftpd[7612]: FTP session closed
Jun 6 03:49:00 mail ftpd[7632]: ANONYMOUS FTP LOGIN FROM
1Cust107.tnt4.manassas.va.da.UU.NET [63.26.198.107], [EMAIL PROTECTED]
Jun 6 09:19:14 mail login[1056]: ROOT LOGIN on `tty1'
Jun 6 03:49:24 mail ftpd[7632]: FTP session closed
Jun 6 09:26:33 mail identd[7708]: Connection from 1Cust86.tnt4.krk1.da.UU.NET
Jun 6 09:26:33 mail identd[7708]: from: 63.27.1.86 ( 1Cust86.tnt4.krk1.da.UU.NET )
for: 111, 111
Jun 6 09:26:33 mail identd[7708]: Returned: 111 , 111 : NO-USER
Jun 6 09:26:34 mail identd[7709]: Connection from 1Cust86.tnt4.krk1.da.UU.NET
Jun 6 09:26:34 mail identd[7709]: from: 63.27.1.86 ( 1Cust86.tnt4.krk1.da.UU.NET )
for: 2145, 111
Jun 6 09:26:36 mail identd[7710]: Connection from 1Cust86.tnt4.krk1.da.UU.NET
Jun 6 09:26:36 mail identd[7710]: from: 63.27.1.86 ( 1Cust86.tnt4.krk1.da.UU.NET )
for: 675, 111
Jun 6 09:38:39 mail identd[7808]: Connection from 1Cust71.tnt1.delaware.oh.da.UU.NET
Jun 6 09:38:39 mail identd[7808]: from: 63.27.143.71 (
1Cust71.tnt1.delaware.oh.da.UU.NET ) for: 2238, 111
Jun 6 09:47:21 mail identd[7860]: Connection from 1Cust234.tnt11.hou3.da.UU.NET
Jun 6 09:47:21 mail identd[7860]: from: 63.27.245.234 ( 1Cust234.tnt11.hou3.da.UU.NET
) for: 111, 111
Jun 6 09:47:21 mail identd[7860]: Returned: 111 , 111 : NO-USER
Jun 6 09:47:22 mail identd[7861]: Connection from 1Cust234.tnt11.hou3.da.UU.NET
Jun 6 09:47:22 mail identd[7861]: from: 63.27.245.234 ( 1Cust234.tnt11.hou3.da.UU.NET
) for: 2286, 111
Jun 6 09:47:23 mail identd[7862]: Connection from 1Cust234.tnt11.hou3.da.UU.NET
Jun 6 09:47:23 mail identd[7862]: from: 63.27.245.234 ( 1Cust234.tnt11.hou3.da.UU.NET
) for: 827, 111
--------------------End of log report---------
I have observed lot dummy domain names in the file.
Now I have stopped the portmap service on my server. Is it ok?
Or how to prevent anonymous logins ?
Thanks in advance
Regards,
Krishna Rao
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Suresh
Ramasubramanian
Sent: Tuesday, June 06, 2000 2:08 PM
To: [EMAIL PROTECTED]
Subject: Re: [LIH] Re: unauthorized access attempt - portscan
Krishna Rao SN saw fit to inform LI that:
>I am new to Linux. Kindly tell me which report/log files to check & where it is
>located?
>It is urgent. May be someone is using my system to portscans of port 111.
/var/log/messages should do for a start - and /var/log/maillog to see if
you have any mails going out of your system.
Check the other files in /var/log as well.
-suresh
--
Suresh Ramasubramanian | sureshr at staff.juno.com
The problem with any unwritten law is that you don't know where to go
to erase it.
-- Glaser and Way
-----------------------------------------------------------------------
Check out the 'What to do before posting to the list' site
for a list of things to try before posting. The site is
at
http://botsie.tripod.com/beforeposting/-----------------------------------------------------------------------
Check out the 'What to do before posting to the list' site
for a list of things to try before posting. The site is
at http://botsie.tripod.com/beforeposting/
