hack attack?

hack attack?

Post by Jerry Kozelsk » Wed, 08 Nov 2000 04:00:00



SCO OpenServer 5.0.1
One of our user accounts became locked yesterday. The number of unsuccessful
logins exceeded the limit of 99. When reviewing the account login settings,
we noticed that the unsuccessful logins keep increasing at the rate of one
per second. Is there a way to see where these attempts are coming from? Does
it look like a hack, or what? It started on Monday morning.
 
 
 

hack attack?

Post by Ian Peatt » Thu, 09 Nov 2000 04:00:00




>SCO OpenServer 5.0.1

Are you /quite/ sure? 'uname -X' might give a different release number.

Quote:>One of our user accounts became locked yesterday. The number of unsuccessful
>logins exceeded the limit of 99. When reviewing the account login settings,
>we noticed that the unsuccessful logins keep increasing at the rate of one
>per second. Is there a way to see where these attempts are coming from? Does
>it look like a hack, or what? It started on Monday morning.

Are you seeing failed logins for a specific user, or for a specific port?
If for a specific serial port, you might have a 'chatty' modem or some other
bit of hardware which is causing a getty to repeatedly respawn.

If these are failures on a pseudo tty, and if you are seeing these happening
in real time as you say, you could use 'netstat' to list the current remote
connections via TCP.

    Ian.

--