Date: Mon, 25 Nov 2002 16:32:48 -0600 From: "Mike Loiterman" <mloiterman@ameritech.net> To: <freebsd-questions@FreeBSD.ORG> Subject: Cracker attack...is my system compromised? Message-ID: <005c01c294d2$977fe6e0$0302a8c0@mike>
next in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 First, I'm sending this from a mail account that is not subscribed to the list so please cc me. I'm doing this because my mail server runs off of a dynamic IP address via DNS2GO. AT&T recently changed my dynamic IP that I had had for over a year to a new one. The top level dns servers have not caught up with this change yet. The result is bounced mail to *@freebsd.org because of a failure to resolve a reverse hostname lookup. On to my question: The past few days have seen some strange activity in my log files. 11/25/2002 Security Report: 25 02:14:46 fat_man sendmail[16217]: gAP8Ekh16217: SYSERR: putoutmsg (www.nakorinthias.gr): error on output channel sending "220 fat_man.ascendency.net ESMTP Sendmail 8.11.6/8.11.6; Mon, 25 Nov 2002 02:14:46 -0600 (CST)": Broken pipe 11/24/2002 Security Report > 44:59 fat_man last message repeated 2 times > Nov 23 16:23:03 fat_man sshd[80281]: warning: /etc/hosts.allow, > line 23: host name/name mismatch: www.craftworks.co.jp != > ns.craftworks.co.jp Nov 23 16:24:32 fat_man sshd[80292]: warning: > /etc/hosts.allow, line 23: host name/name mismatch: > www.craftworks.co.jp != ns.craftworks.co.jp arp: 192.168.1.1 moved > from 00:04:5a:20:6e:b7 to 00:06:25:92:58:f5 on ep0 Nov 23 16:27:53 > fat_man /kernel: arp: 192.168.1.1 moved from 00:04:5a:20:6e:b7 to > 00:06:25:92:58:f5 on ep0 arp: 192.168.1.2 moved from > 00:01:03:20:2f:75 to 00:06:25:10:e0:03 on ep0 Nov 23 16:57:41 > fat_man /kernel: arp: 192.168.1.2 moved from 00:01:03:20:2f:75 to > 00:06:25:10:e0:03 on ep0 arp: 192.168.1.2 moved from > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 Nov 23 17:00:17 > fat_man /kernel: arp: 192.168.1.2 moved from > 00:06:25:10:e0:03 to 00:01:03:20:2f:75 on ep0 arp: 192.168.1.4 > moved from 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 > 18:24:50 fat_man /kernel: arp: 192.168.1.4 moved from > 00:06:25:10:e0:03 to > 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:25:05 > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to > 00:06:25:10:e0:03 on ep0 arp: 192.168.1.4 moved from > 00:06:25:10:e0:03 to 00:80:c6:fa:9f:21 on ep0 Nov 23 18:27:51 > fat_man /kernel: arp: 192.168.1.4 moved from 00:06:25:10:e0:03 to > 00:80:c6:fa:9f:21 on ep0 arp: 192.168.1.4 moved from > 00:80:c6:fa:9f:21 to 00:06:25:10:e0:03 on ep0 Nov 23 18:31:39 > fat_man /kernel: arp: 192.168.1.4 moved from 00:80:c6:fa:9f:21 to > 00:06:25:10:e0:03 on ep0 11/23/2002 Daily run report fat_man.ascendency.net group diffs: 16a17 > cyrus:*:60:daemon 30d30 < cyrus:*:60:daemon Whats going on here? I just changed most of my passwords and changed the root password to an 18 digit alpha numeric string. I have SMTP-AUTH on and working all relays have been turned off. I checked my /etc/hosts, groups, passwd as well as "last" and everything appears to be secure. I have restricted sshd to only one particular IP. Firewalled off all unnecessary ports and removed everything possible from hosts.allow. I'm running 8.11.6 sendmail, but can't find the version of ssh. Do I need to do anything else? This appears to be a program running various probes to determine my systems security level. Am I wrong? ........................................... Randomly Generated Quote: Insert funny but obscure remark here. Mike Loiterman PGP Key 0xD1B9D18E http://www.ascendency.net -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Message digitally signed by Mike Loiterman iQA/AwUBPeKlDmjZbUnRudGOEQLM2ACePJZuldNMDeppJQAqUfph/8V6z1AAn1a7 BAGNud30wQYerfOW31F4UBjR =U34I -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005c01c294d2$977fe6e0$0302a8c0>