Re: Have I Been Hacked?

Mon, 05 Mar 2001 10:17:19 -0800 

My bad...I didn't read thoroughly enough.

On Mon, 5 Mar 2001, Joshua Hirsh wrote:

> The information in the email pertaining to the user 'operator' was on the
> remote machine which had attempted to connect to Ben's portmap service.
>
> Because the remote machine had attempted the connection, a program on
> Ben's machine is setup to finger the remote account that is attempting the
> connection. In this case, it was the user operator on pts/1 and pts/2 on
> the remote machine.
>
>
> Take a look at a portion of the email quoted below:
>
> >Subject: portmap attempt on thor from 211.57.229.2 (211.57.229.2)
>
> If you notice the IP address displayed above in the topic, and below in
> the body of the message. They are identical. The information being
> displayed is formatted the way that finger (/usr/bin/finger) outputs its
> data. Because the first part of the line displays the IP address, this
> tells us that the finger request was sent to the remote machine.
>
> >  [211.57.229.2]
> >  Login: operator                        Name: operator
> >  Directory: /root                       Shell: /bin/sh
>
>
> For example, run the command: finger [EMAIL PROTECTED] on your system
> and compare the output.
>
> [dro@mail dro]$ finger [EMAIL PROTECTED]
> [211.57.229.2]
> Login: operator                         Name: operator
> Directory: /root                        Shell: /bin/sh
> Last login Mon Mar  5 13:23 (KST) on 2 from 21dial234.xnet.ro
> No mail.
> No Plan.
>
> look familiar?
>
> Based on the information that Ben provided to the list, I believe that
> his system has not been compromised. If, however, Ben feels that the
> machine has indeed been compromised, the safest bet would be to re-install
> the OS.
>
>
>  Best Regards,
>
> Joshua Hirsh
> efni CONNECT
> UNIX Systems Administration
> [EMAIL PROTECTED]
> Tel: (705) 474-3364 ext. 2557
> Fax: (705) 472-9202
>
>
> > I'd ask, however, for clarification from Ben, as to whether or not user
> > "operator" has a password, no password at all, or the normal "*" in the
> > password field.  If user "operator" has the * in the password field, user
> > "operator" should not be able to log into pts/1 or pts/2, would you not
> > agree?
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to