Security Incidents mailing list archives
Break-in attempt from 203.197.38.247
From: Cronje Schalk <schalkc () NTABA CO ZA>
Date: Tue, 22 Aug 2000 14:20:08 +0200
This morning we discovered a possible break-in attempt. The alert came from continous retries on the pop3 and telnet ports. POP3 was accidentely was left open although no pop3 service nor mail service is installed.
From /var/log/secure:
-------------------- Aug 22 01:09:34 jupiter ipop3d[3954]: connect from 203.197.38.247 Aug 22 01:09:34 jupiter ipop3d[3954]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
From /var/log/messages:
----------------------- Aug 22 01:09:43 jupiter telnetd[3957]: ttloop: peer died: Invalid or incomplete multibyte or wide character What is really strange is a replacement of certain files ?--------- 14559 root 46449 4294967295 Mar 27 21:57 bashrc ?--------- 14559 root 46449 4294967295 Mar 27 21:57 info-dir ?--------- 14138 root 8567 4294967295 May 13 1999 named.boot ?--------- 14694 root 2584 4294967295 Jul 7 18:49 rpc ?--------- 14441 root 12171 4294967295 Aug 17 17:02 shells ?--------- 14099 root 8165 4294967295 Aug 21 15:28 termcap The dates are strange, but then so is most of the file info. No binaries have been replaced. At this point I am somewhat confused. I cannot determine if this was an attempted of a successfull break-in. On thger otehr hand it can simply be a damaged filesystem. Can anyone shed some light on this? ------------------------------------------------------------------ Schalk W. Cronjé | 083-279-7047 | ------------------
Current thread:
- Break-in attempt from 203.197.38.247 Cronje Schalk (Aug 22)
- Re: Break-in attempt from 203.197.38.247 M ixter (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Jason Storm (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- <Possible follow-ups>
- Re: Break-in attempt from 203.197.38.247 Fernando Cardoso (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Richard Fein (Aug 25)
- Re: Break-in attempt from 203.197.38.247 Ian Eure (Aug 25)