I just checked 'last', actually I ran it off as 'last -ad' and I have
a few ftp logins that I do not recognise. They are from all over
the place. I paste a sample here (last -ad ftp):
---------------------
karthik Thu Jul 6 15:22 - 15:29 (00:06) ka3-170.dartmouth.edu
karthik Thu Jul 6 15:21 - 15:22 (00:00) ka3-170.dartmouth.edu
ftp Thu Jul 6 09:36 - 09:36 (00:00) ip96.st-louis15.mo.pub-ip.psi.net
karthik Thu Jul 6 09:32 - 09:33 (00:00) ka3-186.dartmouth.edu
ftp Wed Jul 5 21:03 - 21:03 (00:00) ka3-117.dartmouth.edu
karthik Wed Jul 5 21:01 - 21:03 (00:01) ka3-117.dartmouth.edu
karthik Wed Jul 5 20:59 - 21:01 (00:01) ka3-117.dartmouth.edu
karthik Wed Jul 5 18:52 - 18:55 (00:02) ka4-241.dartmouth.edu
karthik Wed Jul 5 18:52 - 18:52 (00:00) ka4-241.dartmouth.edu
karthik Wed Jul 5 18:50 - 18:52 (00:01) ka3-207.dartmouth.edu
karthik Wed Jul 5 18:48 - 18:50 (00:01) ka3-207.dartmouth.edu
karthik Wed Jul 5 18:42 - 18:44 (00:01) ka3-207.dartmouth.edu
karthik Wed Jul 5 18:35 - 18:36 (00:00) ka3-207.dartmouth.edu
karthik Wed Jul 5 18:15 - 18:16 (00:01) ka3-207.dartmouth.edu
karthik Tue Jul 4 22:50 - 22:50 (00:00) ka3-121.dartmouth.edu
karthik Tue Jul 4 22:48 - 22:50 (00:01) ka3-121.dartmouth.edu
karthik Tue Jul 4 22:14 - 22:15 (00:00) ka3-121.dartmouth.edu
karthik Tue Jul 4 22:05 - 22:13 (00:07) ka3-121.dartmouth.edu
karthik Tue Jul 4 22:04 - 22:05 (00:00) ka3-121.dartmouth.edu
ftp Mon Jul 3 06:04 - 06:04 (00:00) d82116.dtk.chello.nl
ftp Sat Jul 1 09:04 - 09:04 (00:00) cc234727-a.mtpls1.sc.home.com
---------------------
I am the only person who uses this machine. I use a dialup connection to
dartmouth, and all addresses must end with a .dartmouth.edu, which is not
the case.
How do I disable access to this machine to all users other than who I
want to access this machine?
What does this all mean? So is a reinstall the only way to go? How can I
prevent such happenings? I am newbie to most of this and use linux
primarily as its a great place for me to run my research programs with
native C support etc.
Thanks,
-Karthik.
On Fri, 7 Jul 2000, Christoph Hammann wrote:
> Hi Karthik,
> The command for seeing who was logged into your machine is "last" and to
> see who is logged in, it is "w" or "who". I always forget which of these
> two it is and right now am not at my Linux computer to check. Concerning
> your other question (could the box behaving strangely be affected by a
> virus and are all processes showing up in "ps aux"): I agree with Richard
> (who wouldn't?) that it is improbable that you have caught a virus, but if
> the box hangs on an insecure internet connection (insecure as in "in any
> way exploitable", especially if it is a 24/7 connection with a static IP)
> you could have been rooted. That could mean that a cracker has taken over
> the box and exchanged common programs for patched versions with malicious
> functions (e.g. attacking other machines on the web). These would show up
> normally in ps aux and top and perhaps even execute their normal functions
> if invoked, but possibly also their malicious functions. I'd go to the
> box, yank out it's net connection physically, shut it down and then reboot
> it from the install media or a floppy distribution. Then I'd compare the
> sizes and checksums of common programs in /bin, /sbin, /usr/bin,
> /usr/X11R6, /root and so on with those on the install media. I'd look for
> shell scripts that you didn't put there yourself. This last thing is
> improbable to bring up something if the attacker has had time to clean up
> after the deed, but you never know, it could have been some naive script
> kiddie. HTH, and read the "Cracked!" series on www.rootprompt.org !
> Bye, Christoph
-
To unsubscribe from this list: send the line "unsubscribe linux-newbie" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.linux-learn.org/faqs
