Here's an excellent place to start.
http://www.linuxworld.com/linuxworld/lw-1999-12/lw-12-vcontrol_1.html
It's an interview with one of the best security experts out there, with
links to a couple of other excellent articles. There's also a link to the
said expert's company, with free (as in beer) tools for linux security.
Good luck.
-----Original Message-----
From: Chris Worth [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 03, 1999 12:37 PM
To: [EMAIL PROTECTED]
Subject: Damn, I got hacked...
Ok just before I left on Thanksgiving holiday. I learned that my rh6.1 box
had been
compromised. No, loss of data to speak of. it is really just a learning
box. At any rate, I
was able to ftp the messages file off. Here is a chunk of it.
Nov 18 00:15:49 flowman2 in.telnetd[20074]: connect from 207.139.76.99
Nov 18 00:17:23 flowman2 identd[20079]: Connection from colo01-156.xoom.com
Nov 18 00:17:23 flowman2 identd[20079]: from: 206.132.179.156
colo01-156.xoom.com
) for: 3861, 21
Nov 18 00:17:23 flowman2 identd[20079]: Returned: 3861 , 21 : NO-USER
Nov 18 00:25:08 flowman2 in.telnetd[20092]: connect from 207.139.76.99
Nov 18 00:27:25 flowman2 named[365]: Cleaned cache of 0 RRs
Nov 18 00:27:26 flowman2 named[365]: USAGE 942902846 942244045
CPU=0.02u/0.01s CHILDCPU=0u/0s
Nov 18 00:27:26 flowman2 named[365]: NSTATS 942902846 942244045
Nov 18 00:27:26 flowman2 named[365]: XSTATS 942902846 942244045 RR=1 RNXD=0
RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=1
SAns=0 SFwdQ=0 SDupQ=0 SErr=0 RQ=0 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0
SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0
Nov 18 00:40:05 flowman2 identd[20120]: Connection from disfunctional.net
Nov 18 00:40:05 flowman2 identd[20120]: from: 208.225.85.34
disfunctional.net ) for:
4538, 53
Nov 18 00:46:13 flowman2 identd[20123]: Connection from alpha.prosat.com.au
Nov 18 00:46:13 flowman2 identd[20123]: from: 202.61.205.131
alpha.prosat.com.au )
for: 1353, 53
Nov 18 00:46:33 flowman2 identd[20124]: Connection from
cr634779-a.cambr1.on.wave.home.com
Nov 18 00:46:33 flowman2 identd[20124]: from: 24.112.109.151
cr634779-a.cambr1.on.wave.home.com ) for: 1374, 53
Nov 18 00:46:42 flowman2 identd[20125]: Connection from disfunctional.net
Nov 18 00:46:42 flowman2 identd[20125]: from: 208.225.85.34
disfunctional.net ) for:
1402, 53
Nov 18 00:55:25 flowman2 in.telnetd[20128]: connect from 207.139.76.99
Nov 18 00:58:46 flowman2 identd[20295]: Connection from
apollo.gestrike-linjen.x.se
Nov 18 00:58:47 flowman2 identd[20295]: from: 195.84.176.55
apollo.gestrike-linjen.x.se ) for: 1803, 53
Nov 18 00:59:50 flowman2 identd[20477]: Connection from 195.54.234.5
Nov 18 00:59:50 flowman2 identd[20477]: from: 195.54.234.5 ( 195.54.234.5 )
for: 617, 111
can somebody tell me what went on? I'd rather this didn't happen again for
obvious
reasons. and how can I prevent this in the future. is there a security
HOWTO I need to
absorb?
thanks, chris
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
