[Fwd: OFF TOPIC: security]

[Jim Starke <jstarke () ptd net>]

Hello everyone,

        I gave Brian the url so that he can subscribe to this list but am going
to post his email here. Could someone shed any light on the logs that he
sent me and if there is reason to be concerned?

        I do not have enough experience to give him a qualified answer and am
deferring to the advice of the experts on the list. 

        Thanks in advance!      

Jim

Brian Clifton wrote:
> Hi again Jim
>
> I am running RH6.2 - pretty well patched e.g.
> imap-4.7c2-1.phall
> bind-8.2.3-0.6.x
> sendmail-8.9.3-15
> inn-2.2.1-1
> slrn-0.9.6.4-0.6
> wu-2.6.0(1)
>
> Apache (apache-1.3.9-8) is a bit out of date, but I think that is all!
> host.allow will let ftp users from anywhere but thats it. Telnet and
> pop3 access is denied for all but our internal users.
>
> I have had a look at our /var/log/message file and notice a couple of
> entries:
>
> Jun  1 14:39:37 linux portmap[27164]: connect from 206.218.166.214 to
> getport(mountd): request from unauthorized host
> Jun  6 23:49:02 linux portmap[20055]: connect from 212.55.157.163 to
> getport(status): request from unauthorized host
>
> These look like failed hacks??
>
> Also I think this is someone trying to run linuxconf remotely:
> Jun  9 10:29:30 linux linuxconf[31288]: IP 195.173.171.194 do not match
> 192.168.1.0/255.255.255.0
>
> In /var/log/secure:
> Jun  1 02:37:40 linux in.ftpd[24950]: connect from 202.156.143.146
> ## Someone from mcns146.docsis143.singa.pore.net##
>
> Jun  1 16:23:06 linux ipop3d[27543]: refused connect from 212.169.20.127
> ## no reverse lookup ##
>
> Jun  6 19:24:33 linux in.telnetd[19304]: refused connect from
> 62.211.40.73
>
> Any thoughts greatly appreciated...
>
> Thanks in advance, Brian
>
> > Hi Brian,
> >
> >  Here is a url of a security list that I am on.
> >
> >  http://archives.neohapsis.com/archives/incidents
> >
> >  It has information on how to subscribe at the bottom of that page.
> >
> >  I'm new to that list so I won't be able to help you too much. Out of
> > curiousity, what makes you think that your system has been hacked? Do
> > you have firewall logs available or is it because the system is acting
> > strangely?
> >
> > Jim
> >
> > Brian Clifton wrote:
> > > Can anyone help with looking at a possible hack attempt on RH
> linux6.2
> > > or point me to a list that can.
> > >
> > > Best regards, Brian
> > >
> > > ** This list is for technical support for the CGI/Perl Cookbook only
> > > **
> > >
> > > ** This is a family-oriented list: Please do not post URLs for sites
> > > ** ** that contain content of questionable moral/ethical value.
> > > Thanks. **
> >
> > --

-- 
Quidquid latine dictum sit, altum viditur.
http://www.jcsmall.com/homepage