As I understand identd, it allows someone from a remote computer to find out
who owns processes running on my computer. I am curious to know if this has
recently been used to gather information that would be useful to someone
trying to exploit a machine?
I was browsing my /var/log/messages file today when I noticed that on the
9th a machine from France was sending ident requests. The log looked like so:
Jun 9 14:52:18 klondike identd[2909]: from: 128.93.24.32 ( bora.INRIA.FR )
for: 19508, 80
Jun 9 14:52:18 klondike identd[2909]: Successful lookup: 19508 , 80 :
root.root
This went on for a minute or so. Not a big deal, I thought, just someone
trying to send mail.
Then I got to todays log entries and I found someone that purports to be
from Finland doing much the same thing. This activity was logged for 10
minutes.
Now I'm concerned.
I have have had a root compromise before, it's not a nice feeling. I want to lock the
bastards out, if they are indeed trying to get useful information about my
machine that may allow them to exploit something.
Any information or comments are welcome.
Regards,
Blair.
--
--- end message ---
Blair Craft
Computer Technician
College Heights Secondary School
[EMAIL PROTECTED]
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
