Very Computer

Hello, everybody.
One of my machines was cracked recently. No major damage was done,
however, I have so far been unable to understand what hole has been exploited,
and this bugs me to no end.

It looks like the cracker is sending some sort of signal to either
telnetd or login...

If anybody has an idea, based on the info appended below, I will really
appreciate to hear about it...

Cheers,
        Alessandro Forghieri

This is how it all starts [I have changed hostnames & IP addresses in what
follows ]:

file: /var/log/secure:
Jan 10 07:34:38 foobar in.telnetd[8473]: connect from 10.0.98.9
Jan 10 07:35:33 foobar in.telnetd[8480]: connect from 10.0.97.152
Jan 10 07:35:47 foobar in.telnetd[8483]: connect from 10.0.97.152
Jan 10 07:38:49 foobar in.telnetd[8506]: connect from 10.0.97.152
Jan 10 07:39:17 foobar in.ftpd[8512]: connect from 10.0.97.152
Jan 10 07:42:54 foobar in.telnetd[8534]: connect from 10.0.97.152
Jan 10 07:43:06 foobar in.telnetd[8540]: connect from 10.0.98.9
Jan 10 07:43:28 foobar in.telnetd[8548]: warning: can't get client address: Connection reset by peer
Jan 10 07:43:28 foobar in.telnetd[8548]: connect from unknown
[...]

file: /var/log/messages:
Jan 10 07:34:41 foobar telnetd[8473]: ttloop:  peer died: Unknown error
Jan 10 07:35:54 foobar su:  on /dev/ttyp1
Jan 10 07:39:27 foobar ftpd[8512]: FTP LOGIN FROM ntsvr5-24.idirect.com [10.0.97.152], liquid
Jan 10 07:39:46 foobar ftpd[8512]: FTP session closed
Jan 10 07:40:33 foobar su:  on /dev/ttyp0
Jan 10 07:40:51 foobar linux: eth0: Transmitter access conflict.
Jan 10 07:40:51 foobar kernel: eth0: Transmitter access conflict.
Jan 10 07:41:21 foobar linux: eth0: Transmitter access conflict.
Jan 10 07:41:21 foobar kernel: eth0: Transmitter access conflict.
Jan 10 07:41:51 foobar linux: eth0: Transmitter access conflict.
Jan 10 07:42:22 foobar linux: eth0: Transmitter access conflict.
Jan 10 07:42:22 foobar kernel: eth0: Transmitter access conflict.
Jan 10 07:43:23 foobar su:  on /dev/ttyp3

---
Alessandro Forghieri            Site administrator Nouvelle srl

Via Giardini 460                Fax:    +39 59 343822

Hi,

I think it's time for you to recompile your kernel with some
firewall-options enbled and to install the ipfwadm tool.

Take a look at www.xos.nl...

Ivo Naninck.

mm, I remember seeing something at rootshell.com like this. I dunno if it
*does* this, it didn't work on my machine. in any case, I suggest you check
the redhat and linux alert lists.

Quote:> I think it's time for you to recompile your kernel with some
> firewall-options enbled and to install the ipfwadm tool.

Could it be a classic Spoof IP hijack on one of your trusted systems?