[NTLUG:Discuss] [Fwd: What does this mean?]

George E. Lass George.Lass at osc.com
Tue Oct 12 09:34:58 CDT 1999 

Kelly Scroggins wrote:
> 
> I see attempts to access my system all the time.  It's surprising how
> often it happens.  But there has always been an address associated with
> it.  How the heck do they find little 'ole me?!

It's just amazing isn't it!  Almost like finding a needle in a haystack.
I've noticed a few things about these crack attempts.  First, if you are
using a cable modem or a *dsl connection you are much more likely to see
access attempts.  I suspect this is because the cracker "knows" that the
range of addresses belonging to a cable modem provider are likely to be
connected for long periods of time.  So once they associate a PC with an
IP address, they can beat on it for days at end and chances are that it 
will always be the same PC they are hitting.

But it's not limited to just long term connections.  I've seen them on
dialup connections that may last less than an hour.  I guess there are
people out there with nothing better to do than see if they can get in 
to your system.  Just think how far we (the Linux community) could go
if they spent their time doing something useful!

> 
> I was worried (I still am a little) that they had made their way in.
>

>From the looks of your "secure" file, I'd say they had been stopped
cold!


> 
> I'll read the nmap doc you pointed to.  I need to know what their doing
> to my machine.

Again, right now I'd say nothing.  At least that's the way it looks from
your "secure" file.  In general though I'd say they are trying to
determine
which TCP/IP ports are "open" on your system.  Once they find that out, 
there are always several back doors they can use to gain "root" access
to
your PC.  One of them has to do with sending a packet large enough to
over
flow the input buffer for the program that is handling the port.  It if
is
done "just right" they can core dump the program and gain shell access
as 
root.

Your best bet is to run nmap against your own system and stop all
services
that nmap shows running which you don't need.  You should restrict
access 
to the rest via /etc/hosts.allow & hosts.deny.  Also, if you need to
leave
telnet open, you should use ssh for access to it.

I'm sure there are other things you can do, but again I'm no expert on
security!

George

P.S.  There is a packet sniffer called tcpdump that should have been
installed
when you first put Linux on your PC. Check out the man page....

G

More information about the Discuss mailing list