[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: telnet break-in

Hi Serge Delorme; unless Mutt is confused, you wrote:
> I only have a simple dial-out PPP connection from my ISP.
> I'm still on a Bo system with shadow password enable.
> Two days ago I see this message from my xconsole:
> 
> Aug 20 10:19:56 ordino in.telnetd[349]: connect from ppp-014.m4-1.mtl.ican.net
> Aug 20 10:20:01 ordino telnetd[349]: ttloop:  peer died: Success
> 
> I understand the first line; somebody requested a telnet session from my
> system. The second one I'm not sure...who cut the connection, the other side
> or my system?
> 
> To this date I did not really care about security, I'm the only user and I'm on
> line for short periods, but now I'm getting a little panicked...is Bo
> security ok or should/can I do more? Do I have to deny requests for telnet and ftp
> sessions or is on by default?
> 
> Paranoid.
>

it is interesting that similar thing happened to me yesterday. I'm running a
fully stable hamm system, and this is the first time something like that
happened. My syslog file shows this:

Aug 22 15:10:41 camelot in.telnetd[1709]: connect from
1Cust35.tnt15.tco2.da.uu.
net
Aug 22 15:10:42 camelot telnetd[1709]: ttloop:  peer died: Invalid or
incomplete
 multibyte or wide character 
 

I have tried pinging the above host right after that and it returned the I.P.
address 153.36.2.35 . does anyone know how can I get the actual site name from
this? As the original poster, my connection is ppp dial-up thru a very good
ISP, and I haven't had this happening before...
Any clarification, help or opinions welcome.

damir
Reply to: