Carl Parsons wrote:

> I ... have been told someone from my site has been trying to hack
> there site.

Comsat connections from localhost won't have anything to do with
that. Try and get log extracts from the other site, showing someone
trying to intrude on their systems. You're looking for a needle in a
haystack otherwise. See if they have queried your ident server for the
connections, and get that information from them as well (it should be in
the same log if they have a reasonable system).

What I've usually found when people complain to me about an "intruder"
is that they're using some sort of "personal firewall" software, but
they don't understand how to use it, and they're reporting back that my
web server (for example) keeps "attacking" their port 113!

> I thought I had closed in.comsat in inetd.conf

kill -HUP `cat /var/run/inetd.pid`
netstat -a

There isn't much point in "thinking" you closed any port(s).
Periodically check, and *know* what ports are open on your systems.

> I am still not sure if I have been hacked or am I being paranoid.

A healthy sense of paranoia is good in this business. However, I
usually tell people that if they need to ask whether or not their
computer has been compromised (not "hacked"; that's misuse of the word,
perpetuated by the misinformed), it probably has been; wipe the disk
and start over.

If you don't want to do that, you had better get to know your systems
quickly, and determine for yourself whether they're being used by an
intruder.

I hope that helps ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------