Krishna Rao SN saw fit to inform LI that:
>Checked all the log files. Enclosed below some entries from that file:
>Jun 2 13:23:52 mail identd[21320]: Connection from redlider.com.UY
>Jun 2 13:23:52 mail identd[21320]: from: 207.3.120.254 ( redlider.com.UY ) for: 111,
>111
This _may_ be genuine ... a cracker in uruguay ... (but most likely
another hacked box) - arin contact [EMAIL PROTECTED]
>Jun 2 15:13:21 mail identd[22855]: Connection from
>three.licks.to.the.center.of.your.pussypop.org
>Jun 2 15:13:21 mail identd[22855]: from: 207.8.129.60 (
>three.licks.to.the.center.of.your.pussypop.org ) for: 111, 111
This exists too!!! ARIN contact [EMAIL PROTECTED]
>Jun 2 15:13:21 mail identd[22855]: Returned: 111 , 111 : NO-USER
>Jun 2 15:13:26 mail identd[22885]: Connection from
>lives.in.a.box.under.the.sign.for.omnio.COM
>Jun 2 15:13:26 mail identd[22885]: from: 207.8.129.61 (
>lives.in.a.box.under.the.sign.for.omnio.COM ) for: 111, 111
Again uruguay, again [EMAIL PROTECTED]
>Jun 2 15:13:26 mail identd[22885]: Returned: 111 , 111 : NO-USER
>Jun 2 15:13:30 mail identd[22914]: Connection from cant.seem.to.spell.omnio.COM
>Jun 2 15:13:30 mail identd[22914]: from: 207.8.129.62 ( cant.seem.to.spell.omnio.COM
>) for: 111, 111
[EMAIL PROTECTED] again
>Jun 2 15:13:30 mail identd[22914]: Returned: 111 , 111 : NO-USER
>Jun 2 15:13:34 mail identd[22929]: Connection from
>mastered.the.kamma.sutra.at.omnio.COM
>Jun 2 15:13:34 mail identd[22929]: from: 207.8.129.63 (
>mastered.the.kamma.sutra.at.omnio.COM ) for: 111, 111
[EMAIL PROTECTED]
>Jun 2 15:13:34 mail identd[22929]: Returned: 111 , 111 : NO-USER
>Jun 2 15:13:38 mail identd[22956]: Connection from
>boinked.your.girlfriend.3times.intheback.ofhis.omnio.COM
>Jun 2 15:13:38 mail identd[22956]: from: 207.8.129.64 (
>boinked.your.girlfriend.3times.intheback.ofhis.omnio.COM ) for: 111, 111
[EMAIL PROTECTED]
>Jun 2 15:13:39 mail identd[22956]: Returned: 111 , 111 : NO-USER
>Jun 2 15:13:44 mail identd[22976]: Connection from
>polished.off.a.30pack.and.passedout.at.omnio.COM
>Jun 2 15:13:44 mail identd[22976]: from: 207.8.129.65 (
>polished.off.a.30pack.and.passedout.at.omnio.COM ) for: 111, 111
[EMAIL PROTECTED]
>Jun 2 15:13:44 mail identd[22976]: Returned: 111 , 111 : NO-USER
>Jun 2 15:13:48 mail identd[22977]: Connection from
>www.slash.dot.comma.hyphen.dash.blah.omnio.COM
>Jun 2 15:13:48 mail identd[22977]: from: 207.8.129.66 (
>www.slash.dot.comma.hyphen.dash.blah.omnio.COM ) for: 111, 111
[EMAIL PROTECTED]
>Jun 2 15:13:48 mail identd[22977]: Returned: 111 , 111 : NO-USER
>Jun 2 15:13:53 mail identd[22978]: Connection from
>did.a.fat.line.of.K.and.fell.out.of.his.chair.at.omnio.COM
>Jun 2 15:13:53 mail identd[22978]: from: 207.8.129.67 (
>did.a.fat.line.of.K.and.fell.out.of.his.chair.at.omnio.COM ) for: 111, 111
[EMAIL PROTECTED]
>-----------Entries from messages log file------------------
>Jun 6 03:45:53 mail ftpd[7612]: ANONYMOUS FTP LOGIN FROM
>1Cust107.tnt4.manassas.va.da.UU.NET [63.26.198.107], [EMAIL PROTECTED]
>Jun 6 03:46:40 mail ftpd[7612]: FTP session closed
>Jun 6 03:49:00 mail ftpd[7632]: ANONYMOUS FTP LOGIN FROM
>1Cust107.tnt4.manassas.va.da.UU.NET [63.26.198.107], [EMAIL PROTECTED]
>Jun 6 09:19:14 mail login[1056]: ROOT LOGIN on `tty1'
lot of ftps from uu.net - complain to [EMAIL PROTECTED] (and turn off anon ftp
on your server, deny ftp access to all except trusted users ...)
>--------------------End of log report---------
>
>I have observed lot dummy domain names in the file.
>Now I have stopped the portmap service on my server. Is it ok?
Do an nslookup - no dummy domain names. From the stupid names there - I
think [EMAIL PROTECTED] is your culprit.
>Or how to prevent anonymous logins ?
http://www.bastille-linux.org/
Install a good router and use ACLs to restrict access to certain ip
blocks. Lot more blocking etc rules in the cisco manuals and all over the
web.
--
Suresh Ramasubramanian | sureshr at staff.juno.com
Adolescence, n.:
The stage between puberty and adultery.
-----------------------------------------------------------------------
For more information on the LIH mailing list see:
http://lists.linux-india.org/lists/LIH
