Thanks to Bastille, I'm Still Alive
Janina Sajka
janina at afb.net
Thu Apr 13 00:05:55 EDT 2000
At least, I don't think my attacker managed to do much. Since I'm new
enough to all of this, I'm posting the relevant snipets from some of my
logs below. I can't imagine I would be in such shape had I not run
Bastille a couple of months ago--even though I didn't take all of the
advice in the Bastille scripts.
I might not even have noticed the attack for awhile, had I not been on the
system with Bill Acker and Frankie Carmickle on the phone with me. And,
we'd just fixed my sendmail problem! Just in time to be atacked.
First, and most important: What authority should I advise of this
outrage? Who are the relevant gendarmes?
Second, and least clear to me--Did they do any damage to my mail? Seems
the relay request was canned, as was the request to root. But it looks to
me like debug and stats commands were honored. What does that mean? Here's
from maillog:
Apr 11 23:40:51 isrd sendmail[2358]: NOQUEUE: adsl-151-200-19-201.bellatlantic.net [151.200.19.201]: vrfy root
Apr 11 23:40:51 isrd sendmail[2359]: NOQUEUE: adsl-151-200-19-201.bellatlantic.net [151.200.19.201]: expn root
Apr 11 23:40:51 isrd sendmail[2360]: NOQUEUE: adsl-151-200-19-201.bellatlantic.net [151.200.19.201]: expn decode
Apr 11 23:42:13 isrd sendmail[2361]: XAA02361: ruleset=check_rcpt, arg1=<scan at cerberus-infosec.co.uk>, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201], reject=551 we do not relay
Apr 11 23:42:13 isrd sendmail[2361]: XAA02361: from=<cis at cerberus-infosec.co.uk>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
Apr 11 23:42:13 isrd sendmail[2369]: XAA02369: setsender: |root: invalid or unparseable, received from adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
Apr 11 23:42:13 isrd sendmail[2369]: XAA02369: from=|root, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
Apr 11 23:42:13 isrd sendmail[2368]: NOQUEUE: "wiz" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: |cisscan... Cannot mail directly to programs
Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: "debug" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: from=<scan at cerberus-infosec.co.uk>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
Apr 11 23:43:03 isrd sendmail[2399]: XAA02399: from=root, size=42, class=0, pri=30042, nrcpts=1, msgid=<200004120343.XAA02399 at adsl-151-200-20-29.bellatlantic.net>, relay=root at localhost
Apr 11 23:43:03 isrd sendmail[2407]: XAA02399: to=isos, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
I now have the 151. zone in hosts.deny so don't expect to hear from this
<explitive deleted> again--not from 151.200.19.201, at least. I think the
other probes were repelled. Am I wrong? Here's some more log data:
Mar 6 08:54:34 sajka login: LOGIN ON tty1 BY janina
Mar 6 08:56:26 sajka login: ROOT LOGIN ON tty2
Mar 6 15:10:07 sajka login: LOGIN ON tty3 BY janina
Mar 7 06:54:54 sajka login: LOGIN ON tty1 BY janina
Mar 7 06:55:04 sajka login: ROOT LOGIN ON tty2
Mar 7 09:07:45 sajka login: LOGIN ON tty1 BY janina
Mar 7 09:07:51 sajka login: ROOT LOGIN ON tty2
Mar 7 12:14:45 sajka login: LOGIN ON tty3 BY janina
Mar 7 13:54:46 sajka login: LOGIN ON tty1 BY janina
Mar 7 13:54:53 sajka login: ROOT LOGIN ON tty2
Mar 7 15:00:38 sajka login: LOGIN ON tty3 BY janina
Mar 7 15:40:40 sajka login: LOGIN ON tty4 BY janina
Mar 7 15:47:38 sajka login: LOGIN ON tty5 BY janina
Mar 7 17:20:33 sajka in.ftpd[1238]: connect from 129.186.142.10
Mar 7 17:23:09 sajka in.ftpd[1246]: connect from 129.186.142.10
Mar 7 19:12:03 sajka login: ROOT LOGIN ON tty4
Mar 7 19:42:41 sajka login: LOGIN ON tty1 BY janina
Mar 7 19:48:20 sajka login: ROOT LOGIN ON tty2
Mar 7 21:50:10 sajka login: LOGIN ON tty3 BY janina
Mar 8 10:25:06 sajka in.ftpd[2083]: connect from 208.36.95.171
Mar 8 16:28:43 sajka login: ROOT LOGIN ON tty4
Mar 8 19:02:37 sajka login: LOGIN ON tty1 BY janina
Mar 8 19:02:43 sajka login: ROOT LOGIN ON tty2
Mar 8 19:50:53 sajka login: LOGIN ON tty3 BY janina
Mar 8 19:55:29 sajka in.telnetd[997]: connect from 129.186.142.115
Mar 8 19:55:53 sajka login: LOGIN ON 0 BY collins FROM gene4.cc.iastate.edu
Mar 8 20:54:06 sajka login: ROOT LOGIN ON tty4
Mar 8 20:54:51 sajka login: ROOT LOGIN ON tty6
Mar 9 12:10:00 sajka login: ROOT LOGIN ON tty2
Mar 9 12:14:44 sajka login: LOGIN ON tty1 BY janina
Mar 9 12:49:07 sajka login: LOGIN ON tty3 BY janina
Mar 9 14:05:17 sajka login: LOGIN ON tty5 BY janina
Mar 9 15:02:26 sajka in.ftpd[1222]: connect from 208.36.95.171
Mar 9 15:10:50 sajka in.ftpd[1245]: connect from 208.36.95.171
Mar 9 15:22:22 sajka in.ftpd[1306]: connect from 208.36.95.171
Mar 9 15:25:23 sajka in.ftpd[1313]: connect from 208.36.95.171
Mar 9 15:28:12 sajka in.ftpd[1321]: connect from 208.36.95.171
Mar 9 15:52:47 sajka login: ROOT LOGIN ON tty4
Mar 9 19:16:38 sajka login: ROOT LOGIN ON tty2
Mar 9 19:59:56 sajka login: LOGIN ON tty1 BY janina
Mar 9 20:01:07 sajka in.telnetd[693]: refused connect from 208.36.95.171
Mar 9 20:01:29 sajka in.ftpd[700]: refused connect from 208.36.95.171
Mar 9 20:27:02 sajka login: LOGIN ON tty3 BY janina
Mar 10 00:08:12 sajka login: LOGIN ON tty1 BY janina
Mar 10 00:09:30 sajka in.telnetd[598]: connect from 208.36.95.171
Mar 10 00:09:47 sajka login: LOGIN ON 0 BY janina FROM 208.36.95.171
Mar 10 00:10:05 sajka in.ftpd[616]: connect from 208.36.95.171
Mar 10 00:11:24 sajka login: ROOT LOGIN ON tty2
Mar 10 01:20:20 sajka login: ROOT LOGIN ON tty4
Mar 10 01:21:14 sajka login: ROOT LOGIN ON tty4
Mar 10 01:24:16 sajka login: ROOT LOGIN ON tty4
Mar 10 09:40:50 sajka login: LOGIN ON tty3 BY janina
Mar 10 12:56:24 sajka login: LOGIN ON tty5 BY janina
Mar 10 17:48:01 sajka login: ROOT LOGIN ON tty6
Mar 10 18:11:19 sajka in.ftpd[3517]: connect from 63.224.68.2
Mar 10 23:04:55 sajka login: ROOT LOGIN ON tty2
Mar 11 11:46:09 sajka login: ROOT LOGIN ON tty2
Mar 12 21:47:36 sajka login: ROOT LOGIN ON tty2
Mar 12 21:56:09 sajka login: ROOT LOGIN ON tty4
Mar 12 21:59:22 sajka login: ROOT LOGIN ON tty2
Mar 12 22:00:02 sajka login: ROOT LOGIN ON tty2
Mar 12 22:00:18 sajka login: LOGIN ON tty3 BY janina
Mar 13 14:09:32 sajka login: LOGIN ON tty1 BY janina
Mar 13 14:09:43 sajka login: ROOT LOGIN ON tty2
Mar 13 15:22:58 sajka login: LOGIN ON tty3 BY janina
Mar 13 15:50:40 sajka login: ROOT LOGIN ON tty2
Mar 13 15:50:49 sajka login: LOGIN ON tty3 BY janina
Mar 13 16:05:49 sajka login: LOGIN ON tty1 BY janina
Mar 13 16:51:03 sajka login: ROOT LOGIN ON tty4
Mar 13 17:08:33 sajka login: ROOT LOGIN ON tty2
Mar 13 17:11:49 sajka login: ROOT LOGIN ON tty4
Mar 13 17:13:21 sajka login: ROOT LOGIN ON tty2
Mar 13 17:23:23 sajka login: LOGIN ON tty3 BY janina
Mar 13 19:48:40 sajka login: ROOT LOGIN ON tty4
Mar 13 20:04:42 sajka login: ROOT LOGIN ON tty2
Mar 13 20:09:54 sajka login: LOGIN ON tty3 BY janina
Mar 13 20:43:10 sajka login: LOGIN ON tty1 BY janina
Mar 13 22:38:16 sajka login: ROOT LOGIN ON tty2
Mar 13 22:45:48 sajka login: ROOT LOGIN ON tty2
Mar 13 22:58:23 sajka login: LOGIN ON tty1 BY janina
Mar 13 23:02:30 sajka login: LOGIN ON tty1 BY janina
Mar 13 23:04:45 sajka login: ROOT LOGIN ON tty2
Mar 13 23:14:27 sajka login: ROOT LOGIN ON tty4
Mar 13 23:16:54 sajka login: ROOT LOGIN ON tty2
Mar 14 09:16:17 sajka login: LOGIN ON tty1 BY janina
Mar 14 09:33:12 sajka login: LOGIN ON tty3 BY janina
Mar 14 11:54:00 sajka login: ROOT LOGIN ON tty2
Mar 14 12:52:19 sajka login: LOGIN ON tty1 BY janina
Mar 14 13:12:40 sajka login: LOGIN ON tty3 BY janina
Mar 14 17:50:24 sajka login: ROOT LOGIN ON tty2
Mar 14 23:45:13 sajka login: ROOT LOGIN ON tty2
Mar 14 23:48:17 sajka login: LOGIN ON tty1 BY janina
Mar 15 00:01:38 sajka login: ROOT LOGIN ON tty2
Mar 15 00:20:13 sajka login: ROOT LOGIN ON tty2
Mar 15 08:51:04 sajka login: LOGIN ON tty1 BY janina
Mar 15 09:06:43 sajka login: ROOT LOGIN ON tty2
Mar 15 11:26:39 sajka login: LOGIN ON tty1 BY janina
Mar 15 11:26:58 sajka login: ROOT LOGIN ON tty2
Mar 15 11:38:50 sajka login: LOGIN ON tty3 BY janina
Mar 15 13:51:26 sajka login: LOGIN ON tty5 BY janina
Mar 15 14:40:35 sajka login: ROOT LOGIN ON tty4
Mar 16 19:45:36 sajka in.telnetd[4798]: connect from 63.224.68.1
Mar 16 19:45:52 sajka login: LOGIN ON 0 BY wacker FROM 63.224.68.1
Mar 17 09:39:00 sajka login: ROOT LOGIN ON tty2
Mar 17 09:47:39 sajka login: LOGIN ON tty1 BY janina
Mar 17 09:57:16 sajka login: LOGIN ON tty3 BY janina
Mar 17 14:26:39 sajka login: ROOT LOGIN ON tty2
Mar 17 14:29:34 sajka login: LOGIN ON tty1 BY janina
Mar 17 14:29:39 sajka in.ftpd[655]: connect from 151.200.20.29
Mar 17 15:39:46 sajka login: LOGIN ON tty3 BY janina
Mar 17 17:16:43 sajka in.ftpd[1116]: connect from 63.224.68.2
Mar 19 11:35:31 sajka in.telnetd[5291]: connect from 208.36.95.171
Mar 19 11:36:11 sajka in.telnetd[5294]: connect from 208.36.95.171
Mar 19 11:36:21 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 19 12:02:51 sajka in.ftpd[5367]: connect from 208.36.95.171
Mar 19 12:03:42 sajka in.telnetd[5369]: connect from 208.36.95.171
Mar 19 12:04:00 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 19 12:05:45 sajka in.ftpd[5388]: connect from 208.36.95.171
Mar 20 02:44:02 sajka in.ftpd[6704]: connect from 24.5.204.126
Mar 20 10:08:39 sajka in.telnetd[7479]: connect from 208.36.95.171
Mar 20 10:09:00 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 20 10:35:29 sajka in.telnetd[7541]: connect from 208.36.95.171
Mar 20 10:35:57 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 21 18:46:05 sajka in.telnetd[10963]: connect from 208.36.95.171
Mar 21 18:46:32 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 21 18:57:57 sajka in.ftpd[11010]: connect from 208.36.95.171
Mar 21 22:14:09 sajka in.telnetd[11358]: connect from 208.36.95.171
Mar 21 22:14:23 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 21 22:21:31 sajka in.ftpd[11386]: connect from 208.36.95.171
Mar 21 23:22:40 sajka in.ftpd[11504]: connect from 208.36.95.171
Mar 21 23:25:27 sajka in.telnetd[11508]: connect from 208.36.95.171
Mar 21 23:25:43 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 22 01:21:34 sajka in.ftpd[11774]: connect from 208.36.95.171
Mar 22 11:39:12 sajka in.telnetd[12797]: connect from 208.36.95.171
Mar 22 11:39:27 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 22 11:49:58 sajka in.telnetd[12830]: connect from 208.36.95.171
Mar 22 11:50:08 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 24 02:48:27 sajka in.telnetd[16851]: connect from 208.36.95.171
Mar 24 02:48:41 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 24 20:09:55 sajka in.telnetd[18793]: connect from 166.102.116.151
Mar 24 20:09:55 sajka imapd[18794]: refused connect from 166.102.116.151
Mar 24 20:09:55 sajka ipop3d[18795]: connect from 166.102.116.151
Mar 24 20:09:55 sajka ipop3d[18795]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Mar 24 20:09:55 sajka in.ftpd[18802]: connect from 166.102.116.151
Mar 24 20:09:56 sajka in.telnetd[18809]: connect from 166.102.116.151
Mar 24 20:10:02 sajka ipop3d[18813]: connect from 166.102.116.151
Mar 24 20:10:02 sajka ipop3d[18813]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Mar 24 20:10:05 sajka imapd[18814]: refused connect from 166.102.116.151
Mar 24 20:36:12 sajka in.telnetd[18876]: connect from 208.36.95.171
Mar 24 20:36:28 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 27 01:24:55 sajka in.telnetd[24016]: connect from 208.36.95.171
Mar 27 01:25:05 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 29 13:48:15 sajka in.telnetd[31048]: connect from 208.36.95.171
Mar 29 13:48:34 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Mar 30 00:36:36 sajka in.telnetd[32411]: connect from 208.36.95.171
Mar 30 00:36:48 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Apr 1 11:41:54 sajka login: LOGIN ON tty1 BY janina
Apr 1 12:26:49 sajka login: LOGIN ON tty3 BY janina
Apr 1 14:06:21 sajka login: ROOT LOGIN ON tty2
Apr 2 10:44:46 sajka login: ROOT LOGIN ON tty2
Apr 2 11:10:18 sajka login: LOGIN ON tty1 BY janina
Apr 2 11:17:44 sajka login: LOGIN ON tty3 BY janina
Apr 2 14:35:35 sajka login: ROOT LOGIN ON tty4
Apr 2 14:39:08 sajka login: ROOT LOGIN ON tty6
Apr 2 15:57:55 sajka login: ROOT LOGIN ON tty1
Apr 2 16:01:45 sajka login: LOGIN ON tty1 BY janina
Apr 2 16:01:55 sajka login: ROOT LOGIN ON tty2
Apr 2 16:05:33 sajka login: LOGIN ON tty3 BY janina
Apr 2 16:33:56 sajka login: ROOT LOGIN ON tty4
Apr 2 18:59:48 sajka login: LOGIN ON tty5 BY janina
Apr 3 22:32:38 sajka login: LOGIN ON tty1 BY janina
Apr 3 22:32:45 sajka login: ROOT LOGIN ON tty2
Apr 3 22:39:55 sajka login: LOGIN ON tty1 BY janina
Apr 3 22:40:00 sajka login: ROOT LOGIN ON tty2
Apr 3 22:49:17 sajka login: LOGIN ON tty1 BY janina
Apr 3 22:49:32 sajka login: ROOT LOGIN ON tty2
Apr 4 09:59:28 sajka login: LOGIN ON tty3 BY janina
Apr 4 10:42:12 sajka login: LOGIN ON tty1 BY janina
Apr 4 10:42:20 sajka login: ROOT LOGIN ON tty2
Apr 4 11:00:27 sajka login: ROOT LOGIN ON tty2
Apr 4 11:31:07 sajka login: ROOT LOGIN ON tty1
Apr 4 11:42:04 sajka login: ROOT LOGIN ON tty1
Apr 4 11:55:03 sajka login: ROOT LOGIN ON tty1
Apr 4 12:26:11 sajka login: ROOT LOGIN ON tty1
Apr 4 13:13:07 sajka login: ROOT LOGIN ON tty1
Apr 4 14:27:25 sajka login: LOGIN ON tty1 BY janina
Apr 4 15:21:25 sajka login: ROOT LOGIN ON tty2
Apr 4 16:04:16 sajka login: ROOT LOGIN ON tty4
Apr 4 16:14:24 sajka login: LOGIN ON tty3 BY janina
Apr 4 17:07:20 sajka login: LOGIN ON tty1 BY janina
Apr 4 17:07:40 sajka login: ROOT LOGIN ON tty2
Apr 4 17:18:27 sajka login: LOGIN ON tty3 BY janina
Apr 4 17:22:18 sajka login: ROOT LOGIN ON tty4
Apr 4 19:00:02 sajka login: LOGIN ON tty5 BY janina
Apr 4 19:07:32 sajka login: ROOT LOGIN ON tty4
Apr 4 19:54:41 sajka login: ROOT LOGIN ON tty2
Apr 4 22:13:27 sajka login: ROOT LOGIN ON tty2
Apr 5 08:47:17 sajka login: LOGIN ON tty1 BY janina
Apr 5 08:47:28 sajka login: ROOT LOGIN ON tty2
Apr 5 10:23:27 sajka login: LOGIN ON tty1 BY janina
Apr 5 10:23:32 sajka login: ROOT LOGIN ON tty2
Apr 5 13:15:52 sajka login: ROOT LOGIN ON tty4
Apr 5 13:36:53 sajka login: LOGIN ON tty1 BY janina
Apr 5 13:37:03 sajka login: ROOT LOGIN ON tty2
Apr 5 13:39:06 sajka login: LOGIN ON tty3 BY janina
Apr 5 13:40:10 sajka login: ROOT LOGIN ON tty4
Apr 5 18:15:41 sajka login: ROOT LOGIN ON tty1
Apr 5 18:31:45 sajka login: ROOT LOGIN ON tty1
Apr 5 19:28:25 sajka login: ROOT LOGIN ON tty2
Apr 5 19:45:50 sajka login: LOGIN ON tty1 BY janina
Apr 5 21:23:25 sajka login: ROOT LOGIN ON tty1
Apr 5 22:08:29 sajka login: ROOT LOGIN ON tty1
Apr 5 22:47:32 sajka login: ROOT LOGIN ON tty1
Apr 5 23:05:35 sajka login: ROOT LOGIN ON tty1
Apr 6 01:06:24 sajka login: ROOT LOGIN ON tty1
Apr 6 09:56:37 sajka login: ROOT LOGIN ON tty1
Apr 6 11:00:59 sajka login: ROOT LOGIN ON tty1
Apr 6 11:02:48 sajka login: LOGIN ON tty2 BY janina
Apr 6 13:31:12 sajka login: ROOT LOGIN ON tty1
Apr 6 14:09:19 sajka login: ROOT LOGIN ON tty2
Apr 6 16:41:56 sajka login: ROOT LOGIN ON tty1
Apr 6 20:33:13 sajka login: ROOT LOGIN ON tty1
Apr 6 20:41:11 sajka login: ROOT LOGIN ON tty1
Apr 6 20:53:08 sajka login: ROOT LOGIN ON tty2
Apr 6 23:16:54 sajka login: ROOT LOGIN ON tty1
Apr 6 23:58:48 sajka login: ROOT LOGIN ON tty1
Apr 7 01:02:49 sajka login: ROOT LOGIN ON tty1
Apr 7 01:29:05 sajka login: ROOT LOGIN ON tty1
Apr 7 01:33:15 sajka login: ROOT LOGIN ON tty1
Apr 7 01:39:22 sajka login: ROOT LOGIN ON tty1
Apr 7 01:43:50 sajka login: LOGIN ON tty1 BY janina
Apr 7 01:44:56 sajka login: ROOT LOGIN ON tty2
Apr 7 09:56:48 sajka login: ROOT LOGIN ON tty2
Apr 7 09:57:47 sajka login: LOGIN ON tty1 BY janina
Apr 7 09:58:11 sajka login: ROOT LOGIN ON tty2
Apr 7 10:04:15 sajka login: LOGIN ON tty1 BY janina
Apr 7 10:05:37 sajka login: LOGIN ON tty1 BY janina
Apr 7 10:07:38 sajka login: ROOT LOGIN ON tty2
Apr 7 10:10:32 sajka login: LOGIN ON tty1 BY janina
Apr 7 13:19:51 sajka login: ROOT LOGIN ON tty2
Apr 7 13:22:26 sajka login: LOGIN ON tty1 BY janina
Apr 7 16:23:09 sajka login: LOGIN ON tty3 BY janina
Apr 7 16:26:39 sajka login: ROOT LOGIN ON tty2
Apr 7 17:53:30 sajka login: ROOT LOGIN ON tty4
Apr 7 18:39:54 sajka login: LOGIN ON tty1 BY janina
Apr 7 18:40:21 sajka login: ROOT LOGIN ON tty2
Apr 7 20:46:48 sajka in.telnetd[1401]: connect from 192.168.1.239
Apr 7 22:45:53 sajka ipop3d[2234]: connect from 192.168.1.250
Apr 7 22:45:53 sajka ipop3d[2234]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:45:58 sajka ipop3d[2235]: connect from 192.168.1.250
Apr 7 22:45:58 sajka ipop3d[2235]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:46:03 sajka ipop3d[2237]: connect from 192.168.1.250
Apr 7 22:46:03 sajka ipop3d[2237]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:51:08 sajka ipop3d[2264]: connect from 192.168.1.250
Apr 7 22:51:08 sajka ipop3d[2264]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:51:13 sajka ipop3d[2265]: connect from 192.168.1.250
Apr 7 22:51:13 sajka ipop3d[2265]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:51:18 sajka ipop3d[2266]: connect from 192.168.1.250
Apr 7 22:51:18 sajka ipop3d[2266]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:56:23 sajka ipop3d[2405]: connect from 192.168.1.250
Apr 7 22:56:23 sajka ipop3d[2405]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:56:28 sajka ipop3d[2406]: connect from 192.168.1.250
Apr 7 22:56:28 sajka ipop3d[2406]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 22:56:33 sajka ipop3d[2407]: connect from 192.168.1.250
Apr 7 22:56:33 sajka ipop3d[2407]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:01:38 sajka ipop3d[2432]: connect from 192.168.1.250
Apr 7 23:01:38 sajka ipop3d[2432]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:01:43 sajka ipop3d[2433]: connect from 192.168.1.250
Apr 7 23:01:43 sajka ipop3d[2433]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:01:48 sajka ipop3d[2434]: connect from 192.168.1.250
Apr 7 23:01:48 sajka ipop3d[2434]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:06:53 sajka ipop3d[2441]: connect from 192.168.1.250
Apr 7 23:06:53 sajka ipop3d[2441]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:06:58 sajka ipop3d[2442]: connect from 192.168.1.250
Apr 7 23:06:58 sajka ipop3d[2442]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:07:03 sajka ipop3d[2443]: connect from 192.168.1.250
Apr 7 23:07:03 sajka ipop3d[2443]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:12:08 sajka ipop3d[2461]: connect from 192.168.1.250
Apr 7 23:12:08 sajka ipop3d[2461]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:12:13 sajka ipop3d[2463]: connect from 192.168.1.250
Apr 7 23:12:13 sajka ipop3d[2463]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:12:18 sajka ipop3d[2464]: connect from 192.168.1.250
Apr 7 23:12:18 sajka ipop3d[2464]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:17:23 sajka ipop3d[2492]: connect from 192.168.1.250
Apr 7 23:17:23 sajka ipop3d[2492]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:17:28 sajka ipop3d[2493]: connect from 192.168.1.250
Apr 7 23:17:28 sajka ipop3d[2493]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 7 23:17:33 sajka ipop3d[2494]: connect from 192.168.1.250
Apr 7 23:17:33 sajka ipop3d[2494]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 8 00:02:09 sajka login: LOGIN ON tty3 BY janina
Apr 8 00:39:49 adsl-151-200-20-29 login: ROOT LOGIN ON tty1
Apr 8 02:36:27 adsl-151-200-20-29 in.telnetd[1033]: connect from 208.166.24.190
Apr 8 10:51:22 adsl-151-200-20-29 login: LOGIN ON tty1 BY janina
Apr 8 11:39:21 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
Apr 8 11:39:45 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
Apr 8 11:51:11 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
Apr 8 11:59:26 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
Apr 8 12:05:51 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
Apr 8 12:07:26 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
Apr 8 12:40:56 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
Apr 8 13:20:49 adsl-151-200-20-29 login: ROOT LOGIN ON tty4
Apr 8 13:29:21 adsl-151-200-20-29 login: ROOT LOGIN ON tty4
Apr 8 16:34:18 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
Apr 8 16:48:36 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
Apr 8 17:06:34 adsl-151-200-20-29 login: ROOT LOGIN ON tty4
Apr 9 15:46:59 adsl-151-200-20-29 login: ROOT LOGIN ON tty1
Apr 9 17:01:02 adsl-151-200-20-29 login: ROOT LOGIN ON tty1
Apr 9 17:01:23 adsl-151-200-20-29 in.telnetd[8511]: connect from 192.168.1.253
Apr 9 17:18:07 isrd login: ROOT LOGIN ON tty2
Apr 9 17:58:30 isrd login: LOGIN ON tty3 BY janina
Apr 9 19:15:31 isrd in.telnetd[1315]: connect from 192.168.1.239
Apr 9 19:18:17 isrd in.telnetd[1322]: connect from 192.168.1.239
Apr 9 19:18:22 isrd login: LOGIN ON 0 BY janina FROM 192.168.1.239
Apr 9 19:58:28 isrd login: ROOT LOGIN ON tty2
Apr 9 20:25:06 isrd in.ftpd[1022]: connect from 192.168.1.239
Apr 9 20:25:53 isrd in.ftpd[1023]: connect from 192.168.1.239
Apr 9 20:35:36 isrd in.ftpd[1135]: connect from 192.168.1.239
Apr 9 21:32:13 isrd in.ftpd[1699]: connect from 192.168.1.239
Apr 9 21:33:46 isrd in.ftpd[1701]: connect from 192.168.1.239
Apr 9 21:34:52 isrd in.ftpd[1703]: connect from 192.168.1.239
Apr 9 21:46:05 isrd login: ROOT LOGIN ON tty2
Apr 9 21:47:34 isrd in.ftpd[881]: connect from 208.36.95.171
Apr 9 21:48:30 isrd login: ROOT LOGIN ON tty4
Apr 9 21:50:15 isrd in.ftpd[909]: connect from 208.36.95.171
Apr 9 21:57:00 isrd in.ftpd[991]: connect from 208.36.95.171
Apr 9 22:02:33 isrd in.ftpd[1008]: connect from 192.168.1.239
Apr 9 22:12:23 isrd login: ROOT LOGIN ON tty2
Apr 9 22:43:05 isrd login: LOGIN ON tty1 BY janina
Apr 10 10:18:03 isrd login: ROOT LOGIN ON tty2
Apr 10 10:21:14 isrd login: LOGIN ON tty1 BY janina
Apr 10 11:28:07 isrd login: LOGIN ON tty3 BY janina
Apr 10 11:35:17 isrd login: LOGIN ON tty1 BY janina
Apr 10 11:35:25 isrd login: ROOT LOGIN ON tty2
Apr 10 11:38:27 isrd login: LOGIN ON tty3 BY janina
Apr 10 11:44:55 isrd login: ROOT LOGIN ON tty4
Apr 10 13:15:20 isrd login: ROOT LOGIN ON tty2
Apr 10 13:22:39 isrd login: LOGIN ON tty1 BY janina
Apr 10 13:25:16 isrd login: LOGIN ON tty3 BY janina
Apr 10 13:38:26 isrd login: ROOT LOGIN ON tty4
Apr 10 14:16:54 isrd login: LOGIN ON tty1 BY janina
Apr 10 14:54:31 isrd login: LOGIN ON tty1 BY janina
Apr 10 15:05:41 isrd login: LOGIN ON tty1 BY janina
Apr 10 15:06:49 isrd login: ROOT LOGIN ON tty2
Apr 10 15:12:39 isrd login: ROOT LOGIN ON tty2
Apr 10 15:13:39 isrd login: ROOT LOGIN ON tty2
Apr 10 16:17:08 isrd login: ROOT LOGIN ON tty4
Apr 10 16:17:17 isrd login: LOGIN ON tty3 BY janina
Apr 10 18:00:08 isrd login: ROOT LOGIN ON tty2
Apr 10 18:27:18 isrd login: LOGIN ON tty1 BY janina
Apr 10 18:53:23 isrd login: ROOT LOGIN ON tty2
Apr 10 18:58:47 isrd login: LOGIN ON tty1 BY janina
Apr 10 18:59:57 isrd login: LOGIN ON tty3 BY janina
Apr 10 19:55:15 isrd login: ROOT LOGIN ON tty1
Apr 10 22:30:26 isrd login: LOGIN ON tty1 BY janina
Apr 10 22:30:58 isrd login: ROOT LOGIN ON tty2
Apr 10 23:46:42 isrd login: LOGIN ON tty3 BY janina
Apr 11 11:28:37 isrd login: LOGIN ON tty1 BY janina
Apr 11 16:40:58 isrd login: ROOT LOGIN ON tty4
Apr 11 18:34:27 isrd login: LOGIN ON tty5 BY janina
Apr 11 19:13:20 isrd login: ROOT LOGIN ON tty2
Apr 11 19:15:16 isrd login: LOGIN ON tty1 BY janina
Apr 11 19:30:08 isrd in.telnetd[935]: connect from 208.36.95.171
Apr 11 19:30:30 isrd login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
Apr 11 20:29:50 isrd in.telnetd[1194]: connect from 63.224.68.2
Apr 11 20:36:56 isrd in.ftpd[1229]: connect from 192.168.1.239
Apr 11 20:58:13 isrd login: ROOT LOGIN ON tty4
Apr 11 20:59:38 isrd login: ROOT LOGIN ON tty4
Apr 11 21:32:23 isrd login: ROOT LOGIN ON tty2
Apr 11 21:36:47 isrd login: ROOT LOGIN ON tty2
Apr 11 21:51:16 isrd login: ROOT LOGIN ON tty2
Apr 11 22:12:26 isrd in.ftpd[1984]: connect from 192.168.1.239
Apr 11 22:29:59 isrd in.ftpd[2004]: connect from 192.168.1.239
Apr 11 22:50:37 isrd login: ROOT LOGIN ON tty4
Apr 11 23:25:22 isrd login: LOGIN ON tty1 BY janina
Apr 11 23:40:23 isrd ipop3d[2300]: connect from 151.200.19.201
Apr 11 23:40:23 isrd ipop3d[2300]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
Apr 11 23:40:23 isrd in.fingerd[2306]: connect from 151.200.19.201
Apr 11 23:42:01 isrd in.ftpd[2363]: connect from 151.200.19.201
Apr 11 23:42:24 isrd in.ftpd[2373]: connect from 151.200.19.201
And another version of the facts, just the facts:
Apr 11 23:40:23 isrd portmap[2303]: connect from 151.200.19.201 to dump(): request from unauthorized host
Apr 12 03:40:51 isrd ftpd[2298]: refused PORT 199.199.199.199,2570 from adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
Apr 11 23:42:13 isrd sendmail[2368]: NOQUEUE: "wiz" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: "debug" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
Apr 11 23:42:45 isrd PAM-securetty[2377]: Error opening /etc/securetty
And, finally:
Apr 11 23:40:23 isrd portmap[2303]: connect from 151.200.19.201 to dump(): request from unauthorized host
Apr 12 03:40:51 isrd ftpd[2298]: ANONYMOUS FTP LOGIN FROM adsl-151-200-19-201.bellatlantic.net [151.200.19.201], cis at security.check
Apr 12 03:40:51 isrd ftpd[2298]: refused PORT 199.199.199.199,2570 from adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
Apr 12 03:40:51 isrd ftpd[2298]: FTP session closed
Apr 12 03:42:01 isrd ftpd[2363]: ANONYMOUS FTP LOGIN FROM adsl-151-200-19-201.bellatlantic.net [151.200.19.201], IE40user@
Apr 12 03:42:24 isrd ftpd[2373]: ANONYMOUS FTP LOGIN FROM adsl-151-200-19-201.bellatlantic.net [151.200.19.201], IE40user@
Apr 12 03:48:27 isrd ftpd[2373]: lost connection to adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
Apr 12 03:48:27 isrd ftpd[2373]: FTP session closed
That's right. They came back four hours later to poke around in person via
anonymous ftp. What did they want? How about a file with the net address
for about a dozen time servers? <grin>
Wed Apr 12 03:42:25 2000 1 adsl-151-200-19-201.bellatlantic.net 562 /home/ftp/pub/misc/ntp-servers.txt b _ o a IE40user@ ftp 0 * c
So, if I'm crowing any, it's thanks to the great Bastille scripts. I would
not have known enough to have plugged all of these holes myself yet. And,
I'd be a very unhappy camper had I not used Bastille.
Thanks, Peter, and the rest of ya'all. --
Janina Sajka, Director
Information Systems Research & Development
American Foundation for the Blind (AFB)
janina at afb.net
More information about the Speakup
mailing list