[lug] Possible Cracker

Michael J. Pedersen marvin at keepthetouch.org
Mon Sep 4 13:40:06 MDT 2000


On Sat, Sep 02, 2000 at 04:15:51AM -0600, SoloCDM wrote:
> My messages file shows "telnetd[21882]: ttloop:  peer died: Invalid or
> incomplete multibyte or wide character" and my tcpdump file shows the
> consistent IP outside intruder as 198.79.30.20.  What exactly
> happened?  Is my system infected, affected, or what?

At this point, without my being able to verify directly, it would seem that
your system is not infected, only being attempted. The very next thing I would
do (as in right now) would be the following steps:

edit /etc/inetd.conf
Comment out the line which mentions telnetd (ie: put a # as the first
character in the line).
Find the process id of inetd (ps aux | grep inetd).
Issue 'kill -HUP psid'

That will shut down that attack, at least. Second thing to do, would be to run
'netstat -a', and see if you don't recognize any of the ports listed. If any
of them are unfamiliar, you MIGHT have been cracked. Only further research
will tell.

I'm going to post my personal firewall ruleset in the very near future, in two
separate versions (one with ipmasq enabled, one without). In the meantime, I
would recommend reading various HOWTO documents (http://www.linuxdoc.org and
http://www.linuxlookup.com), and use the information to beef up your security
tremendously. Having hte telnet port open, and having it enabled, tells me
that your site is incredibly insecure right now, and very easily attacked. I
don't say this to be insulting, only to help you understand that your machine
IS vulnerable right now, and without prompt action, may be cracked very soon
(if it's not already).

Final note for you: Your cracker might be related to another one mentioned by
D. Stimitz(sp?). He also had an oriental origin. Your guy is using a unicode
character set during his attack, which means that he is using (extremely
likely, anyway) an oriental character set.

-----
Michael J. Pedersen
Get GnuPG at http://www.gnupg.org
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
My GnuPG Public Key Available At: http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20000904/08d7314f/attachment.pgp>


More information about the LUG mailing list