Here's an odd one.
I have a machine which had been a firewall for some time until my main system
went down (burned out MB -- had to replace). While that machine was
reconfigured as a workstation, it got broken into, and the next day (when the
new machine arrived a week earlier than expected) I dutifully re-installed on
the firewall machine from scratch just to be safe.
Now the interesting thing begins. Ever since the breakin and the follow-up
reinstall, I get a beakin attempt on the firewall machine every 12 minutes,
obviously running out of cron somewhere.
The spooky part is that the network address of the machine trying to break in is
on my local network, on this side of the firewall. It is a windoze box I keep
around for my son to play games on, etc.
Why I say it is spooky is that the attacks continue even if this machine is
turned off and disconnected totally from the network. Obviously someone is
spoofing the address. They stop only if I take down my dsl link to my isp, so
clearly they are not local.
I am also running tripwire and portsentry on this box, and portsentry is logging
the attempts (and they show up in /var/log/messages regular as clockwork of
course).
As tripwire is not finding any problems and ckrootkit gives me a clean bill of
health (I run these and portsentry on this machine and every other machine on my
network as well) -- and FWIW nothing else wierd is being detected -- is it
reasonable to say that someone has probably left a cron job going to try to
break in, or should I pursue it further at this point?
Any suggestions?
Thanks
--
William W. Austin [EMAIL PROTECTED]
"Life is just a phase I'm going through..."
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
