Thanks to Bastille, I'm Still Alive
wabe
wabe at home.com
Thu Apr 13 09:07:12 EDT 2000
Well, honestly, it looks like he was looking for 2 things:
1. REALLY old sendmail holes.
2. ftp overflow holes.
As for 1 - any moderately recent (>5.0 RH) linux should be fine against this.
As for 2 - You don't have anonymous ftp able to write to any directories, do you? You'd have
to specifically enable anonymous, and set that up, on most Linux Distros.
I would check to be sure you arn't running amd and have upgraded your bind and then
I'd sleep better, if I were you.
-wabe
Janina Sajka wrote:
> At least, I don't think my attacker managed to do much. Since I'm new
> enough to all of this, I'm posting the relevant snipets from some of my
> logs below. I can't imagine I would be in such shape had I not run
> Bastille a couple of months ago--even though I didn't take all of the
> advice in the Bastille scripts.
>
> I might not even have noticed the attack for awhile, had I not been on the
> system with Bill Acker and Frankie Carmickle on the phone with me. And,
> we'd just fixed my sendmail problem! Just in time to be atacked.
>
> First, and most important: What authority should I advise of this
> outrage? Who are the relevant gendarmes?
>
> Second, and least clear to me--Did they do any damage to my mail? Seems
> the relay request was canned, as was the request to root. But it looks to
> me like debug and stats commands were honored. What does that mean? Here's
> from maillog:
>
> Apr 11 23:40:51 isrd sendmail[2358]: NOQUEUE: adsl-151-200-19-201.bellatlantic.net [151.200.19.201]: vrfy root
> Apr 11 23:40:51 isrd sendmail[2359]: NOQUEUE: adsl-151-200-19-201.bellatlantic.net [151.200.19.201]: expn root
> Apr 11 23:40:51 isrd sendmail[2360]: NOQUEUE: adsl-151-200-19-201.bellatlantic.net [151.200.19.201]: expn decode
> Apr 11 23:42:13 isrd sendmail[2361]: XAA02361: ruleset=check_rcpt, arg1=<scan at cerberus-infosec.co.uk>, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201], reject=551 we do not relay
> Apr 11 23:42:13 isrd sendmail[2361]: XAA02361: from=<cis at cerberus-infosec.co.uk>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
> Apr 11 23:42:13 isrd sendmail[2369]: XAA02369: setsender: |root: invalid or unparseable, received from adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
> Apr 11 23:42:13 isrd sendmail[2369]: XAA02369: from=|root, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
> Apr 11 23:42:13 isrd sendmail[2368]: NOQUEUE: "wiz" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
> Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: |cisscan... Cannot mail directly to programs
> Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: "debug" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
> Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: from=<scan at cerberus-infosec.co.uk>, size=0, class=0, pri=0, nrcpts=0, proto=SMTP, relay=adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
> Apr 11 23:43:03 isrd sendmail[2399]: XAA02399: from=root, size=42, class=0, pri=30042, nrcpts=1, msgid=<200004120343.XAA02399 at adsl-151-200-20-29.bellatlantic.net>, relay=root at localhost
> Apr 11 23:43:03 isrd sendmail[2407]: XAA02399: to=isos, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, stat=Sent
>
> I now have the 151. zone in hosts.deny so don't expect to hear from this
> <explitive deleted> again--not from 151.200.19.201, at least. I think the
> other probes were repelled. Am I wrong? Here's some more log data:
>
> Mar 6 08:54:34 sajka login: LOGIN ON tty1 BY janina
> Mar 6 08:56:26 sajka login: ROOT LOGIN ON tty2
> Mar 6 15:10:07 sajka login: LOGIN ON tty3 BY janina
> Mar 7 06:54:54 sajka login: LOGIN ON tty1 BY janina
> Mar 7 06:55:04 sajka login: ROOT LOGIN ON tty2
> Mar 7 09:07:45 sajka login: LOGIN ON tty1 BY janina
> Mar 7 09:07:51 sajka login: ROOT LOGIN ON tty2
> Mar 7 12:14:45 sajka login: LOGIN ON tty3 BY janina
> Mar 7 13:54:46 sajka login: LOGIN ON tty1 BY janina
> Mar 7 13:54:53 sajka login: ROOT LOGIN ON tty2
> Mar 7 15:00:38 sajka login: LOGIN ON tty3 BY janina
> Mar 7 15:40:40 sajka login: LOGIN ON tty4 BY janina
> Mar 7 15:47:38 sajka login: LOGIN ON tty5 BY janina
> Mar 7 17:20:33 sajka in.ftpd[1238]: connect from 129.186.142.10
> Mar 7 17:23:09 sajka in.ftpd[1246]: connect from 129.186.142.10
> Mar 7 19:12:03 sajka login: ROOT LOGIN ON tty4
> Mar 7 19:42:41 sajka login: LOGIN ON tty1 BY janina
> Mar 7 19:48:20 sajka login: ROOT LOGIN ON tty2
> Mar 7 21:50:10 sajka login: LOGIN ON tty3 BY janina
> Mar 8 10:25:06 sajka in.ftpd[2083]: connect from 208.36.95.171
> Mar 8 16:28:43 sajka login: ROOT LOGIN ON tty4
> Mar 8 19:02:37 sajka login: LOGIN ON tty1 BY janina
> Mar 8 19:02:43 sajka login: ROOT LOGIN ON tty2
> Mar 8 19:50:53 sajka login: LOGIN ON tty3 BY janina
> Mar 8 19:55:29 sajka in.telnetd[997]: connect from 129.186.142.115
> Mar 8 19:55:53 sajka login: LOGIN ON 0 BY collins FROM gene4.cc.iastate.edu
> Mar 8 20:54:06 sajka login: ROOT LOGIN ON tty4
> Mar 8 20:54:51 sajka login: ROOT LOGIN ON tty6
> Mar 9 12:10:00 sajka login: ROOT LOGIN ON tty2
> Mar 9 12:14:44 sajka login: LOGIN ON tty1 BY janina
> Mar 9 12:49:07 sajka login: LOGIN ON tty3 BY janina
> Mar 9 14:05:17 sajka login: LOGIN ON tty5 BY janina
> Mar 9 15:02:26 sajka in.ftpd[1222]: connect from 208.36.95.171
> Mar 9 15:10:50 sajka in.ftpd[1245]: connect from 208.36.95.171
> Mar 9 15:22:22 sajka in.ftpd[1306]: connect from 208.36.95.171
> Mar 9 15:25:23 sajka in.ftpd[1313]: connect from 208.36.95.171
> Mar 9 15:28:12 sajka in.ftpd[1321]: connect from 208.36.95.171
> Mar 9 15:52:47 sajka login: ROOT LOGIN ON tty4
> Mar 9 19:16:38 sajka login: ROOT LOGIN ON tty2
> Mar 9 19:59:56 sajka login: LOGIN ON tty1 BY janina
> Mar 9 20:01:07 sajka in.telnetd[693]: refused connect from 208.36.95.171
> Mar 9 20:01:29 sajka in.ftpd[700]: refused connect from 208.36.95.171
> Mar 9 20:27:02 sajka login: LOGIN ON tty3 BY janina
> Mar 10 00:08:12 sajka login: LOGIN ON tty1 BY janina
> Mar 10 00:09:30 sajka in.telnetd[598]: connect from 208.36.95.171
> Mar 10 00:09:47 sajka login: LOGIN ON 0 BY janina FROM 208.36.95.171
> Mar 10 00:10:05 sajka in.ftpd[616]: connect from 208.36.95.171
> Mar 10 00:11:24 sajka login: ROOT LOGIN ON tty2
> Mar 10 01:20:20 sajka login: ROOT LOGIN ON tty4
> Mar 10 01:21:14 sajka login: ROOT LOGIN ON tty4
> Mar 10 01:24:16 sajka login: ROOT LOGIN ON tty4
> Mar 10 09:40:50 sajka login: LOGIN ON tty3 BY janina
> Mar 10 12:56:24 sajka login: LOGIN ON tty5 BY janina
> Mar 10 17:48:01 sajka login: ROOT LOGIN ON tty6
> Mar 10 18:11:19 sajka in.ftpd[3517]: connect from 63.224.68.2
> Mar 10 23:04:55 sajka login: ROOT LOGIN ON tty2
> Mar 11 11:46:09 sajka login: ROOT LOGIN ON tty2
> Mar 12 21:47:36 sajka login: ROOT LOGIN ON tty2
> Mar 12 21:56:09 sajka login: ROOT LOGIN ON tty4
> Mar 12 21:59:22 sajka login: ROOT LOGIN ON tty2
> Mar 12 22:00:02 sajka login: ROOT LOGIN ON tty2
> Mar 12 22:00:18 sajka login: LOGIN ON tty3 BY janina
> Mar 13 14:09:32 sajka login: LOGIN ON tty1 BY janina
> Mar 13 14:09:43 sajka login: ROOT LOGIN ON tty2
> Mar 13 15:22:58 sajka login: LOGIN ON tty3 BY janina
> Mar 13 15:50:40 sajka login: ROOT LOGIN ON tty2
> Mar 13 15:50:49 sajka login: LOGIN ON tty3 BY janina
> Mar 13 16:05:49 sajka login: LOGIN ON tty1 BY janina
> Mar 13 16:51:03 sajka login: ROOT LOGIN ON tty4
> Mar 13 17:08:33 sajka login: ROOT LOGIN ON tty2
> Mar 13 17:11:49 sajka login: ROOT LOGIN ON tty4
> Mar 13 17:13:21 sajka login: ROOT LOGIN ON tty2
> Mar 13 17:23:23 sajka login: LOGIN ON tty3 BY janina
> Mar 13 19:48:40 sajka login: ROOT LOGIN ON tty4
> Mar 13 20:04:42 sajka login: ROOT LOGIN ON tty2
> Mar 13 20:09:54 sajka login: LOGIN ON tty3 BY janina
> Mar 13 20:43:10 sajka login: LOGIN ON tty1 BY janina
> Mar 13 22:38:16 sajka login: ROOT LOGIN ON tty2
> Mar 13 22:45:48 sajka login: ROOT LOGIN ON tty2
> Mar 13 22:58:23 sajka login: LOGIN ON tty1 BY janina
> Mar 13 23:02:30 sajka login: LOGIN ON tty1 BY janina
> Mar 13 23:04:45 sajka login: ROOT LOGIN ON tty2
> Mar 13 23:14:27 sajka login: ROOT LOGIN ON tty4
> Mar 13 23:16:54 sajka login: ROOT LOGIN ON tty2
> Mar 14 09:16:17 sajka login: LOGIN ON tty1 BY janina
> Mar 14 09:33:12 sajka login: LOGIN ON tty3 BY janina
> Mar 14 11:54:00 sajka login: ROOT LOGIN ON tty2
> Mar 14 12:52:19 sajka login: LOGIN ON tty1 BY janina
> Mar 14 13:12:40 sajka login: LOGIN ON tty3 BY janina
> Mar 14 17:50:24 sajka login: ROOT LOGIN ON tty2
> Mar 14 23:45:13 sajka login: ROOT LOGIN ON tty2
> Mar 14 23:48:17 sajka login: LOGIN ON tty1 BY janina
> Mar 15 00:01:38 sajka login: ROOT LOGIN ON tty2
> Mar 15 00:20:13 sajka login: ROOT LOGIN ON tty2
> Mar 15 08:51:04 sajka login: LOGIN ON tty1 BY janina
> Mar 15 09:06:43 sajka login: ROOT LOGIN ON tty2
> Mar 15 11:26:39 sajka login: LOGIN ON tty1 BY janina
> Mar 15 11:26:58 sajka login: ROOT LOGIN ON tty2
> Mar 15 11:38:50 sajka login: LOGIN ON tty3 BY janina
> Mar 15 13:51:26 sajka login: LOGIN ON tty5 BY janina
> Mar 15 14:40:35 sajka login: ROOT LOGIN ON tty4
> Mar 16 19:45:36 sajka in.telnetd[4798]: connect from 63.224.68.1
> Mar 16 19:45:52 sajka login: LOGIN ON 0 BY wacker FROM 63.224.68.1
> Mar 17 09:39:00 sajka login: ROOT LOGIN ON tty2
> Mar 17 09:47:39 sajka login: LOGIN ON tty1 BY janina
> Mar 17 09:57:16 sajka login: LOGIN ON tty3 BY janina
> Mar 17 14:26:39 sajka login: ROOT LOGIN ON tty2
> Mar 17 14:29:34 sajka login: LOGIN ON tty1 BY janina
> Mar 17 14:29:39 sajka in.ftpd[655]: connect from 151.200.20.29
> Mar 17 15:39:46 sajka login: LOGIN ON tty3 BY janina
> Mar 17 17:16:43 sajka in.ftpd[1116]: connect from 63.224.68.2
> Mar 19 11:35:31 sajka in.telnetd[5291]: connect from 208.36.95.171
> Mar 19 11:36:11 sajka in.telnetd[5294]: connect from 208.36.95.171
> Mar 19 11:36:21 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 19 12:02:51 sajka in.ftpd[5367]: connect from 208.36.95.171
> Mar 19 12:03:42 sajka in.telnetd[5369]: connect from 208.36.95.171
> Mar 19 12:04:00 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 19 12:05:45 sajka in.ftpd[5388]: connect from 208.36.95.171
> Mar 20 02:44:02 sajka in.ftpd[6704]: connect from 24.5.204.126
> Mar 20 10:08:39 sajka in.telnetd[7479]: connect from 208.36.95.171
> Mar 20 10:09:00 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 20 10:35:29 sajka in.telnetd[7541]: connect from 208.36.95.171
> Mar 20 10:35:57 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 21 18:46:05 sajka in.telnetd[10963]: connect from 208.36.95.171
> Mar 21 18:46:32 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 21 18:57:57 sajka in.ftpd[11010]: connect from 208.36.95.171
> Mar 21 22:14:09 sajka in.telnetd[11358]: connect from 208.36.95.171
> Mar 21 22:14:23 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 21 22:21:31 sajka in.ftpd[11386]: connect from 208.36.95.171
> Mar 21 23:22:40 sajka in.ftpd[11504]: connect from 208.36.95.171
> Mar 21 23:25:27 sajka in.telnetd[11508]: connect from 208.36.95.171
> Mar 21 23:25:43 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 22 01:21:34 sajka in.ftpd[11774]: connect from 208.36.95.171
> Mar 22 11:39:12 sajka in.telnetd[12797]: connect from 208.36.95.171
> Mar 22 11:39:27 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 22 11:49:58 sajka in.telnetd[12830]: connect from 208.36.95.171
> Mar 22 11:50:08 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 24 02:48:27 sajka in.telnetd[16851]: connect from 208.36.95.171
> Mar 24 02:48:41 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 24 20:09:55 sajka in.telnetd[18793]: connect from 166.102.116.151
> Mar 24 20:09:55 sajka imapd[18794]: refused connect from 166.102.116.151
> Mar 24 20:09:55 sajka ipop3d[18795]: connect from 166.102.116.151
> Mar 24 20:09:55 sajka ipop3d[18795]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Mar 24 20:09:55 sajka in.ftpd[18802]: connect from 166.102.116.151
> Mar 24 20:09:56 sajka in.telnetd[18809]: connect from 166.102.116.151
> Mar 24 20:10:02 sajka ipop3d[18813]: connect from 166.102.116.151
> Mar 24 20:10:02 sajka ipop3d[18813]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Mar 24 20:10:05 sajka imapd[18814]: refused connect from 166.102.116.151
> Mar 24 20:36:12 sajka in.telnetd[18876]: connect from 208.36.95.171
> Mar 24 20:36:28 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 27 01:24:55 sajka in.telnetd[24016]: connect from 208.36.95.171
> Mar 27 01:25:05 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 29 13:48:15 sajka in.telnetd[31048]: connect from 208.36.95.171
> Mar 29 13:48:34 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Mar 30 00:36:36 sajka in.telnetd[32411]: connect from 208.36.95.171
> Mar 30 00:36:48 sajka login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Apr 1 11:41:54 sajka login: LOGIN ON tty1 BY janina
> Apr 1 12:26:49 sajka login: LOGIN ON tty3 BY janina
> Apr 1 14:06:21 sajka login: ROOT LOGIN ON tty2
> Apr 2 10:44:46 sajka login: ROOT LOGIN ON tty2
> Apr 2 11:10:18 sajka login: LOGIN ON tty1 BY janina
> Apr 2 11:17:44 sajka login: LOGIN ON tty3 BY janina
> Apr 2 14:35:35 sajka login: ROOT LOGIN ON tty4
> Apr 2 14:39:08 sajka login: ROOT LOGIN ON tty6
> Apr 2 15:57:55 sajka login: ROOT LOGIN ON tty1
> Apr 2 16:01:45 sajka login: LOGIN ON tty1 BY janina
> Apr 2 16:01:55 sajka login: ROOT LOGIN ON tty2
> Apr 2 16:05:33 sajka login: LOGIN ON tty3 BY janina
> Apr 2 16:33:56 sajka login: ROOT LOGIN ON tty4
> Apr 2 18:59:48 sajka login: LOGIN ON tty5 BY janina
> Apr 3 22:32:38 sajka login: LOGIN ON tty1 BY janina
> Apr 3 22:32:45 sajka login: ROOT LOGIN ON tty2
> Apr 3 22:39:55 sajka login: LOGIN ON tty1 BY janina
> Apr 3 22:40:00 sajka login: ROOT LOGIN ON tty2
> Apr 3 22:49:17 sajka login: LOGIN ON tty1 BY janina
> Apr 3 22:49:32 sajka login: ROOT LOGIN ON tty2
> Apr 4 09:59:28 sajka login: LOGIN ON tty3 BY janina
> Apr 4 10:42:12 sajka login: LOGIN ON tty1 BY janina
> Apr 4 10:42:20 sajka login: ROOT LOGIN ON tty2
> Apr 4 11:00:27 sajka login: ROOT LOGIN ON tty2
> Apr 4 11:31:07 sajka login: ROOT LOGIN ON tty1
> Apr 4 11:42:04 sajka login: ROOT LOGIN ON tty1
> Apr 4 11:55:03 sajka login: ROOT LOGIN ON tty1
> Apr 4 12:26:11 sajka login: ROOT LOGIN ON tty1
> Apr 4 13:13:07 sajka login: ROOT LOGIN ON tty1
> Apr 4 14:27:25 sajka login: LOGIN ON tty1 BY janina
> Apr 4 15:21:25 sajka login: ROOT LOGIN ON tty2
> Apr 4 16:04:16 sajka login: ROOT LOGIN ON tty4
> Apr 4 16:14:24 sajka login: LOGIN ON tty3 BY janina
> Apr 4 17:07:20 sajka login: LOGIN ON tty1 BY janina
> Apr 4 17:07:40 sajka login: ROOT LOGIN ON tty2
> Apr 4 17:18:27 sajka login: LOGIN ON tty3 BY janina
> Apr 4 17:22:18 sajka login: ROOT LOGIN ON tty4
> Apr 4 19:00:02 sajka login: LOGIN ON tty5 BY janina
> Apr 4 19:07:32 sajka login: ROOT LOGIN ON tty4
> Apr 4 19:54:41 sajka login: ROOT LOGIN ON tty2
> Apr 4 22:13:27 sajka login: ROOT LOGIN ON tty2
> Apr 5 08:47:17 sajka login: LOGIN ON tty1 BY janina
> Apr 5 08:47:28 sajka login: ROOT LOGIN ON tty2
> Apr 5 10:23:27 sajka login: LOGIN ON tty1 BY janina
> Apr 5 10:23:32 sajka login: ROOT LOGIN ON tty2
> Apr 5 13:15:52 sajka login: ROOT LOGIN ON tty4
> Apr 5 13:36:53 sajka login: LOGIN ON tty1 BY janina
> Apr 5 13:37:03 sajka login: ROOT LOGIN ON tty2
> Apr 5 13:39:06 sajka login: LOGIN ON tty3 BY janina
> Apr 5 13:40:10 sajka login: ROOT LOGIN ON tty4
> Apr 5 18:15:41 sajka login: ROOT LOGIN ON tty1
> Apr 5 18:31:45 sajka login: ROOT LOGIN ON tty1
> Apr 5 19:28:25 sajka login: ROOT LOGIN ON tty2
> Apr 5 19:45:50 sajka login: LOGIN ON tty1 BY janina
> Apr 5 21:23:25 sajka login: ROOT LOGIN ON tty1
> Apr 5 22:08:29 sajka login: ROOT LOGIN ON tty1
> Apr 5 22:47:32 sajka login: ROOT LOGIN ON tty1
> Apr 5 23:05:35 sajka login: ROOT LOGIN ON tty1
> Apr 6 01:06:24 sajka login: ROOT LOGIN ON tty1
> Apr 6 09:56:37 sajka login: ROOT LOGIN ON tty1
> Apr 6 11:00:59 sajka login: ROOT LOGIN ON tty1
> Apr 6 11:02:48 sajka login: LOGIN ON tty2 BY janina
> Apr 6 13:31:12 sajka login: ROOT LOGIN ON tty1
> Apr 6 14:09:19 sajka login: ROOT LOGIN ON tty2
> Apr 6 16:41:56 sajka login: ROOT LOGIN ON tty1
> Apr 6 20:33:13 sajka login: ROOT LOGIN ON tty1
> Apr 6 20:41:11 sajka login: ROOT LOGIN ON tty1
> Apr 6 20:53:08 sajka login: ROOT LOGIN ON tty2
> Apr 6 23:16:54 sajka login: ROOT LOGIN ON tty1
> Apr 6 23:58:48 sajka login: ROOT LOGIN ON tty1
> Apr 7 01:02:49 sajka login: ROOT LOGIN ON tty1
> Apr 7 01:29:05 sajka login: ROOT LOGIN ON tty1
> Apr 7 01:33:15 sajka login: ROOT LOGIN ON tty1
> Apr 7 01:39:22 sajka login: ROOT LOGIN ON tty1
> Apr 7 01:43:50 sajka login: LOGIN ON tty1 BY janina
> Apr 7 01:44:56 sajka login: ROOT LOGIN ON tty2
> Apr 7 09:56:48 sajka login: ROOT LOGIN ON tty2
> Apr 7 09:57:47 sajka login: LOGIN ON tty1 BY janina
> Apr 7 09:58:11 sajka login: ROOT LOGIN ON tty2
> Apr 7 10:04:15 sajka login: LOGIN ON tty1 BY janina
> Apr 7 10:05:37 sajka login: LOGIN ON tty1 BY janina
> Apr 7 10:07:38 sajka login: ROOT LOGIN ON tty2
> Apr 7 10:10:32 sajka login: LOGIN ON tty1 BY janina
> Apr 7 13:19:51 sajka login: ROOT LOGIN ON tty2
> Apr 7 13:22:26 sajka login: LOGIN ON tty1 BY janina
> Apr 7 16:23:09 sajka login: LOGIN ON tty3 BY janina
> Apr 7 16:26:39 sajka login: ROOT LOGIN ON tty2
> Apr 7 17:53:30 sajka login: ROOT LOGIN ON tty4
> Apr 7 18:39:54 sajka login: LOGIN ON tty1 BY janina
> Apr 7 18:40:21 sajka login: ROOT LOGIN ON tty2
> Apr 7 20:46:48 sajka in.telnetd[1401]: connect from 192.168.1.239
> Apr 7 22:45:53 sajka ipop3d[2234]: connect from 192.168.1.250
> Apr 7 22:45:53 sajka ipop3d[2234]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:45:58 sajka ipop3d[2235]: connect from 192.168.1.250
> Apr 7 22:45:58 sajka ipop3d[2235]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:46:03 sajka ipop3d[2237]: connect from 192.168.1.250
> Apr 7 22:46:03 sajka ipop3d[2237]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:51:08 sajka ipop3d[2264]: connect from 192.168.1.250
> Apr 7 22:51:08 sajka ipop3d[2264]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:51:13 sajka ipop3d[2265]: connect from 192.168.1.250
> Apr 7 22:51:13 sajka ipop3d[2265]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:51:18 sajka ipop3d[2266]: connect from 192.168.1.250
> Apr 7 22:51:18 sajka ipop3d[2266]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:56:23 sajka ipop3d[2405]: connect from 192.168.1.250
> Apr 7 22:56:23 sajka ipop3d[2405]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:56:28 sajka ipop3d[2406]: connect from 192.168.1.250
> Apr 7 22:56:28 sajka ipop3d[2406]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 22:56:33 sajka ipop3d[2407]: connect from 192.168.1.250
> Apr 7 22:56:33 sajka ipop3d[2407]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:01:38 sajka ipop3d[2432]: connect from 192.168.1.250
> Apr 7 23:01:38 sajka ipop3d[2432]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:01:43 sajka ipop3d[2433]: connect from 192.168.1.250
> Apr 7 23:01:43 sajka ipop3d[2433]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:01:48 sajka ipop3d[2434]: connect from 192.168.1.250
> Apr 7 23:01:48 sajka ipop3d[2434]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:06:53 sajka ipop3d[2441]: connect from 192.168.1.250
> Apr 7 23:06:53 sajka ipop3d[2441]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:06:58 sajka ipop3d[2442]: connect from 192.168.1.250
> Apr 7 23:06:58 sajka ipop3d[2442]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:07:03 sajka ipop3d[2443]: connect from 192.168.1.250
> Apr 7 23:07:03 sajka ipop3d[2443]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:12:08 sajka ipop3d[2461]: connect from 192.168.1.250
> Apr 7 23:12:08 sajka ipop3d[2461]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:12:13 sajka ipop3d[2463]: connect from 192.168.1.250
> Apr 7 23:12:13 sajka ipop3d[2463]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:12:18 sajka ipop3d[2464]: connect from 192.168.1.250
> Apr 7 23:12:18 sajka ipop3d[2464]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:17:23 sajka ipop3d[2492]: connect from 192.168.1.250
> Apr 7 23:17:23 sajka ipop3d[2492]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:17:28 sajka ipop3d[2493]: connect from 192.168.1.250
> Apr 7 23:17:28 sajka ipop3d[2493]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 7 23:17:33 sajka ipop3d[2494]: connect from 192.168.1.250
> Apr 7 23:17:33 sajka ipop3d[2494]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 8 00:02:09 sajka login: LOGIN ON tty3 BY janina
> Apr 8 00:39:49 adsl-151-200-20-29 login: ROOT LOGIN ON tty1
> Apr 8 02:36:27 adsl-151-200-20-29 in.telnetd[1033]: connect from 208.166.24.190
> Apr 8 10:51:22 adsl-151-200-20-29 login: LOGIN ON tty1 BY janina
> Apr 8 11:39:21 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
> Apr 8 11:39:45 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
> Apr 8 11:51:11 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
> Apr 8 11:59:26 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
> Apr 8 12:05:51 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
> Apr 8 12:07:26 adsl-151-200-20-29 login: LOGIN ON tty3 BY janina
> Apr 8 12:40:56 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
> Apr 8 13:20:49 adsl-151-200-20-29 login: ROOT LOGIN ON tty4
> Apr 8 13:29:21 adsl-151-200-20-29 login: ROOT LOGIN ON tty4
> Apr 8 16:34:18 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
> Apr 8 16:48:36 adsl-151-200-20-29 login: ROOT LOGIN ON tty2
> Apr 8 17:06:34 adsl-151-200-20-29 login: ROOT LOGIN ON tty4
> Apr 9 15:46:59 adsl-151-200-20-29 login: ROOT LOGIN ON tty1
> Apr 9 17:01:02 adsl-151-200-20-29 login: ROOT LOGIN ON tty1
> Apr 9 17:01:23 adsl-151-200-20-29 in.telnetd[8511]: connect from 192.168.1.253
> Apr 9 17:18:07 isrd login: ROOT LOGIN ON tty2
> Apr 9 17:58:30 isrd login: LOGIN ON tty3 BY janina
> Apr 9 19:15:31 isrd in.telnetd[1315]: connect from 192.168.1.239
> Apr 9 19:18:17 isrd in.telnetd[1322]: connect from 192.168.1.239
> Apr 9 19:18:22 isrd login: LOGIN ON 0 BY janina FROM 192.168.1.239
> Apr 9 19:58:28 isrd login: ROOT LOGIN ON tty2
> Apr 9 20:25:06 isrd in.ftpd[1022]: connect from 192.168.1.239
> Apr 9 20:25:53 isrd in.ftpd[1023]: connect from 192.168.1.239
> Apr 9 20:35:36 isrd in.ftpd[1135]: connect from 192.168.1.239
> Apr 9 21:32:13 isrd in.ftpd[1699]: connect from 192.168.1.239
> Apr 9 21:33:46 isrd in.ftpd[1701]: connect from 192.168.1.239
> Apr 9 21:34:52 isrd in.ftpd[1703]: connect from 192.168.1.239
> Apr 9 21:46:05 isrd login: ROOT LOGIN ON tty2
> Apr 9 21:47:34 isrd in.ftpd[881]: connect from 208.36.95.171
> Apr 9 21:48:30 isrd login: ROOT LOGIN ON tty4
> Apr 9 21:50:15 isrd in.ftpd[909]: connect from 208.36.95.171
> Apr 9 21:57:00 isrd in.ftpd[991]: connect from 208.36.95.171
> Apr 9 22:02:33 isrd in.ftpd[1008]: connect from 192.168.1.239
> Apr 9 22:12:23 isrd login: ROOT LOGIN ON tty2
> Apr 9 22:43:05 isrd login: LOGIN ON tty1 BY janina
> Apr 10 10:18:03 isrd login: ROOT LOGIN ON tty2
> Apr 10 10:21:14 isrd login: LOGIN ON tty1 BY janina
> Apr 10 11:28:07 isrd login: LOGIN ON tty3 BY janina
> Apr 10 11:35:17 isrd login: LOGIN ON tty1 BY janina
> Apr 10 11:35:25 isrd login: ROOT LOGIN ON tty2
> Apr 10 11:38:27 isrd login: LOGIN ON tty3 BY janina
> Apr 10 11:44:55 isrd login: ROOT LOGIN ON tty4
> Apr 10 13:15:20 isrd login: ROOT LOGIN ON tty2
> Apr 10 13:22:39 isrd login: LOGIN ON tty1 BY janina
> Apr 10 13:25:16 isrd login: LOGIN ON tty3 BY janina
> Apr 10 13:38:26 isrd login: ROOT LOGIN ON tty4
> Apr 10 14:16:54 isrd login: LOGIN ON tty1 BY janina
> Apr 10 14:54:31 isrd login: LOGIN ON tty1 BY janina
> Apr 10 15:05:41 isrd login: LOGIN ON tty1 BY janina
> Apr 10 15:06:49 isrd login: ROOT LOGIN ON tty2
> Apr 10 15:12:39 isrd login: ROOT LOGIN ON tty2
> Apr 10 15:13:39 isrd login: ROOT LOGIN ON tty2
> Apr 10 16:17:08 isrd login: ROOT LOGIN ON tty4
> Apr 10 16:17:17 isrd login: LOGIN ON tty3 BY janina
> Apr 10 18:00:08 isrd login: ROOT LOGIN ON tty2
> Apr 10 18:27:18 isrd login: LOGIN ON tty1 BY janina
> Apr 10 18:53:23 isrd login: ROOT LOGIN ON tty2
> Apr 10 18:58:47 isrd login: LOGIN ON tty1 BY janina
> Apr 10 18:59:57 isrd login: LOGIN ON tty3 BY janina
> Apr 10 19:55:15 isrd login: ROOT LOGIN ON tty1
> Apr 10 22:30:26 isrd login: LOGIN ON tty1 BY janina
> Apr 10 22:30:58 isrd login: ROOT LOGIN ON tty2
> Apr 10 23:46:42 isrd login: LOGIN ON tty3 BY janina
> Apr 11 11:28:37 isrd login: LOGIN ON tty1 BY janina
> Apr 11 16:40:58 isrd login: ROOT LOGIN ON tty4
> Apr 11 18:34:27 isrd login: LOGIN ON tty5 BY janina
> Apr 11 19:13:20 isrd login: ROOT LOGIN ON tty2
> Apr 11 19:15:16 isrd login: LOGIN ON tty1 BY janina
> Apr 11 19:30:08 isrd in.telnetd[935]: connect from 208.36.95.171
> Apr 11 19:30:30 isrd login: LOGIN ON 0 BY janina FROM w171.z208036095.nyc-ny.dsl.cnc.net
> Apr 11 20:29:50 isrd in.telnetd[1194]: connect from 63.224.68.2
> Apr 11 20:36:56 isrd in.ftpd[1229]: connect from 192.168.1.239
> Apr 11 20:58:13 isrd login: ROOT LOGIN ON tty4
> Apr 11 20:59:38 isrd login: ROOT LOGIN ON tty4
> Apr 11 21:32:23 isrd login: ROOT LOGIN ON tty2
> Apr 11 21:36:47 isrd login: ROOT LOGIN ON tty2
> Apr 11 21:51:16 isrd login: ROOT LOGIN ON tty2
> Apr 11 22:12:26 isrd in.ftpd[1984]: connect from 192.168.1.239
> Apr 11 22:29:59 isrd in.ftpd[2004]: connect from 192.168.1.239
> Apr 11 22:50:37 isrd login: ROOT LOGIN ON tty4
> Apr 11 23:25:22 isrd login: LOGIN ON tty1 BY janina
> Apr 11 23:40:23 isrd ipop3d[2300]: connect from 151.200.19.201
> Apr 11 23:40:23 isrd ipop3d[2300]: error: cannot execute /usr/sbin/ipop3d: No such file or directory
> Apr 11 23:40:23 isrd in.fingerd[2306]: connect from 151.200.19.201
> Apr 11 23:42:01 isrd in.ftpd[2363]: connect from 151.200.19.201
> Apr 11 23:42:24 isrd in.ftpd[2373]: connect from 151.200.19.201
>
> And another version of the facts, just the facts:
>
> Apr 11 23:40:23 isrd portmap[2303]: connect from 151.200.19.201 to dump(): request from unauthorized host
> Apr 12 03:40:51 isrd ftpd[2298]: refused PORT 199.199.199.199,2570 from adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
> Apr 11 23:42:13 isrd sendmail[2368]: NOQUEUE: "wiz" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
> Apr 11 23:42:14 isrd sendmail[2371]: XAA02371: "debug" command from adsl-151-200-19-201.bellatlantic.net [151.200.19.201] (151.200.19.201)
> Apr 11 23:42:45 isrd PAM-securetty[2377]: Error opening /etc/securetty
>
> And, finally:
>
> Apr 11 23:40:23 isrd portmap[2303]: connect from 151.200.19.201 to dump(): request from unauthorized host
> Apr 12 03:40:51 isrd ftpd[2298]: ANONYMOUS FTP LOGIN FROM adsl-151-200-19-201.bellatlantic.net [151.200.19.201], cis at security.check
> Apr 12 03:40:51 isrd ftpd[2298]: refused PORT 199.199.199.199,2570 from adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
> Apr 12 03:40:51 isrd ftpd[2298]: FTP session closed
> Apr 12 03:42:01 isrd ftpd[2363]: ANONYMOUS FTP LOGIN FROM adsl-151-200-19-201.bellatlantic.net [151.200.19.201], IE40user@
> Apr 12 03:42:24 isrd ftpd[2373]: ANONYMOUS FTP LOGIN FROM adsl-151-200-19-201.bellatlantic.net [151.200.19.201], IE40user@
> Apr 12 03:48:27 isrd ftpd[2373]: lost connection to adsl-151-200-19-201.bellatlantic.net [151.200.19.201]
> Apr 12 03:48:27 isrd ftpd[2373]: FTP session closed
>
> That's right. They came back four hours later to poke around in person via
> anonymous ftp. What did they want? How about a file with the net address
> for about a dozen time servers? <grin>
>
> Wed Apr 12 03:42:25 2000 1 adsl-151-200-19-201.bellatlantic.net 562 /home/ftp/pub/misc/ntp-servers.txt b _ o a IE40user@ ftp 0 * c
>
> So, if I'm crowing any, it's thanks to the great Bastille scripts. I would
> not have known enough to have plugged all of these holes myself yet. And,
> I'd be a very unhappy camper had I not used Bastille.
>
> Thanks, Peter, and the rest of ya'all. --
>
> Janina Sajka, Director
> Information Systems Research & Development
> American Foundation for the Blind (AFB)
>
> janina at afb.net
More information about the Speakup
mailing list