suspicious connections
I have a stand-alone machine, with dialup ppp connection (using diald). I
think someone was trying to hack me today, and I'd like advice on how to find
out whether they succeded, and what to do about it. I'd also appreciate
suggestions on the easiest way to prevent, or at least monitor, such activity
in the future.
Here's what I saw. I noticed something when diald was keeping the link up
unexpectedly. I found the following in the diald packet queue:
ttl 14, 1 - 164.58.201.227/257 => 207.244.200.40/257 (tcp state ([0,0] 0,0))
ttl 104, 17 - 164.58.201.227/28800 => 207.244.200.40/28800 (tcp state ([0,0] 0,0))
The destination address (207.244.200.40) was me. Running host on the source
address produced:
Name: line-1.Duncan.dialup.onenet.net
Address: 164.58.201.227
which is totally unfamiliar to me.
I looked in /etc/services for tcp port 257, but there was no listing. Is
there an allowed use for that port?
I also thought it odd that both source and destination ports were the same,
and that a host had apparently initiated a connection to my machine on a
non-well-known port.
Is there any way to tell if these connections really succeded, and if so what
they did? I looked in various files in /var/log, but didn't see anything
unusual. The only security service I'm running is courtney, though I've never
quite figured out what it looks for, or where it reports what it finds.
Thanks for any help.
--
David Zelinsky
dsz@alumni.caltech.edu
Reply to: