Hi,
I've got a firewall set up to deny any external access apart from ssh,
and also mail me if anybody tries to connect. Just had a couple of
interesting emails:
Subject: Port Denial noted in.telnetd-24.228.0.114
Date: Mon, 21 Aug 2000 22:58:10 +1000
From: root
To: root
[24.228.0.114]
Login: archangel Name: Bob Smith
Directory: /home/archangel Shell: /bin/bash
On since Sat Aug 19 20:55 (EDT) on tty1 17 hours 29 minutes idle
No mail.
No Plan.
(Then the same basic email repeated, but with different times).
Telnetted to 24.228.0.114, and Bob Smith appears to be running RH 6.2.
He seems to have just given me his IP and login name (assuming he's not
coming from a cracked box), so maybe not a 1337 h4><0r. Just started a
sniffer running, it's not showing any traffic from 24.228.0.114, so I
assume he didn't get in or anything (and this is certainly not a
trojaned sniffer). I'm just a little concerned because I didn't think
that anybody outside the Sydney Uni intranet (which should show an IP of
10.x.x.x) would even be able to see my box - they've got their own
firewall/proxy set up which should isolate any dial up connections to
them, which is what I'm using. Anybody have any thoughts? (Apart from
'Go to bed you paranoid bastard' :-) Horribly tempted to nmap Bob
Smith...
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
