[lug] Should I worry about: attempted hacks on boxes?

jd lug at taproot.bz
Sun Jul 6 15:00:50 MDT 2003


On Sun, 2003-07-06 at 13:30, Eric Peers wrote:
> I've got a box on the web which is not publicly
> advertised at this point. But it looks like folks are
> trying to hack it. I've seen weird http requests (code
> red), and attempted logins for ssh. Is there anything
> I should do besides for read my logs periodically for
> this sort of activity? Is there a good toolkit that
> checksums major binaries to see if a system has been
> compromised?
> 
> Do these look enough like attempted hacks? I've
> obviously turned off root logins to my box and
> disabled most other ports (ftp, telnet).
> 
> [log]# more secure.1
> Jul  1 03:57:06 iceaxe sshd[642]: Did not receive
> identification string from 80.55.196.26
> Jul  1 04:00:24 iceaxe sshd[654]: Did not receive
> identification string from 80.55.196.26
> Jul  3 22:01:15 iceaxe sshd[13243]: Did not receive
> identification string from 211.152.64.13
> 
> the first logins are from a machine in poland. The 2nd
> is from somewhere in china? Me & my girlfriend are the
> only ones logging into the box right now, and I know
> we're not in china or poland. Should I worry about
> these?
> 
> 
>    --eric
> 

this looks like someone or somescrip is maybe ratiling the
doors and windows. I would at least run a NIDS and tcpwrappers.

Tripwire will do the checksum stuff....however i guess the Tripwire
people are pissing people off in Free and Open communites. There is
another
pkg that does the same but is not pissing people off and i cant
rember the name off hand....

hth,
jd
> 
> 
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug






More information about the LUG mailing list