Re: breakin help

[Stefan O'Rear <stefanor@cox.net>]

On Sun, Sep 12, 2004 at 02:19:47AM -0400, Kevin Mark wrote:
> Hi D-U,
> a day ago, I had a problem with su-ing to root. I checked out my auth.log and
> found strange activity. I have a basic ipchains script and run apache
> and sshd on a dialup connection. Consult:
> http://kmark.home.pipeline.com/breakin.txt
> as I did not want to overload the list.
> somehow someone broke in using ssh. Is there someway I can fix this?

I don't think you have much cause for concern.

>From what I've heard, one of the first things any cracker does is to
stop syslog and remove all traces of getting in.

To be on the safe side you might want to integrity-check your system,
debian packages have md5sums for all files, dunno if a program exists to
download the packages that are installed from the apt archive and check
the md5sums against what's really on your disk...

Note the IP!
   66.235.201.44

~ %% whois 66.235.201.44

OrgName:    iPowerWeb, Inc. 
OrgID:      IPOWE
Address:    2800 28th Street Suite 205
City:       Santa Monica
StateProv:  CA
PostalCode: 90405
Country:    US

NetRange:   66.235.192.0 - 66.235.223.255 
CIDR:       66.235.192.0/19 
NetName:    IPOWERWEB-NET
NetHandle:  NET-66-235-192-0-1
Parent:     NET-66-0-0-0-0
NetType:    Direct Allocation
NameServer: RDNS1.IPOWERWEB.NET
NameServer: RDNS2.IPOWERWEB.NET
Comment:    
RegDate:    2003-07-07
Updated:    2004-07-02

OrgTechHandle: PMA9-ARIN
OrgTechName:   Marcus, Philip 
OrgTechPhone:  +1-310-314-1606
OrgTechEmail:  pmarcus@ipowerweb.com

# ARIN WHOIS database, last updated 2004-09-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
You have mail in /var/mail/stefan
~ %% 

You should email all relevant stuff to them.

-- 
The world's most effective spam filter:
        ln -sf /dev/full /var/mail/$USER