[lug] Possible Cracker
stimits at idcomm.com
Mon Sep 4 16:37:49 MDT 2000
"Michael J. Pedersen" wrote:
> On Sat, Sep 02, 2000 at 04:15:51AM -0600, SoloCDM wrote:
> > My messages file shows "telnetd: ttloop: peer died: Invalid or
> > incomplete multibyte or wide character" and my tcpdump file shows the
> > consistent IP outside intruder as 220.127.116.11. What exactly
> > happened? Is my system infected, affected, or what?
> At this point, without my being able to verify directly, it would seem that
> your system is not infected, only being attempted. The very next thing I would
> do (as in right now) would be the following steps:
> edit /etc/inetd.conf
> Comment out the line which mentions telnetd (ie: put a # as the first
> character in the line).
> Find the process id of inetd (ps aux | grep inetd).
> Issue 'kill -HUP psid'
> That will shut down that attack, at least. Second thing to do, would be to run
> 'netstat -a', and see if you don't recognize any of the ports listed. If any
> of them are unfamiliar, you MIGHT have been cracked. Only further research
> will tell.
> I'm going to post my personal firewall ruleset in the very near future, in two
> separate versions (one with ipmasq enabled, one without). In the meantime, I
> would recommend reading various HOWTO documents (http://www.linuxdoc.org and
> http://www.linuxlookup.com), and use the information to beef up your security
> tremendously. Having hte telnet port open, and having it enabled, tells me
> that your site is incredibly insecure right now, and very easily attacked. I
> don't say this to be insulting, only to help you understand that your machine
> IS vulnerable right now, and without prompt action, may be cracked very soon
> (if it's not already).
> Final note for you: Your cracker might be related to another one mentioned by
> D. Stimitz(sp?). He also had an oriental origin. Your guy is using a unicode
> character set during his attack, which means that he is using (extremely
> likely, anyway) an oriental character set.
One thing I might mention is that each time someone tries a port, I add
their /24 to ipchains and to /etc/hosts.deny. If it is a domain that I
need access to, I write the domain host a letter; or sometimes just deny
SYN packets from there. The real problem is knowing when you have a
legit ip to complain about.
> Michael J. Pedersen
> Get GnuPG at http://www.gnupg.org
> My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
> My GnuPG Public Key Available At: http://www.keyserver.net
> Part 1.2Type: application/pgp-signature
More information about the LUG