Dear all

I have the following in my log files and have been told someone from my site
has been trying to hack there site.
I thought I had closed in.comsat in inetd.conf

/var/log/secure
Jun 16 16:00:55 pingnu in.comsat[17458]: connect from 127.0.0.1
Jun 16 17:01:32 pingnu in.comsat[17484]: connect from 127.0.0.1
Jun 16 17:10:18 pingnu in.comsat[17662]: connect from 127.0.0.1
Jun 16 17:43:58 pingnu in.comsat[17668]: connect from 127.0.0.1
Jun 16 18:05:14 pingnu in.comsat[17843]: connect from 127.0.0.1
Jun 16 18:36:07 pingnu in.comsat[17849]: connect from 127.0.0.1
/var/log/messages
Jun 13 10:55:17 router popa3d[2175]: 0 (0) deleted, 0 (0) left
Jun 13 11:00:42 router in.identd[2193]: reply to 127.0.0.1: 32827 , 25 :
USERID : OTHER :25
Jun 13 11:15:14 router popa3d[2199]: Didn't attempt authentication

http://www.attrition.org/security/de...omsat.dos.html

I have a off site virtual server running slackware 9.0 as well both have
sendmail running. I am still not sure if I have been hacked or am I being
paranoid.

Regards Carl Parsons

Carl Parsons wrote:

> I ... have been told someone from my site has been trying to hack
> there site.

Comsat connections from localhost won't have anything to do with
that. Try and get log extracts from the other site, showing someone
trying to intrude on their systems. You're looking for a needle in a
haystack otherwise. See if they have queried your ident server for the
connections, and get that information from them as well (it should be in
the same log if they have a reasonable system).

What I've usually found when people complain to me about an "intruder"
is that they're using some sort of "personal firewall" software, but
they don't understand how to use it, and they're reporting back that my
web server (for example) keeps "attacking" their port 113!

> I thought I had closed in.comsat in inetd.conf

kill -HUP `cat /var/run/inetd.pid`
netstat -a

There isn't much point in "thinking" you closed any port(s).
Periodically check, and *know* what ports are open on your systems.

> I am still not sure if I have been hacked or am I being paranoid.

A healthy sense of paranoia is good in this business. However, I
usually tell people that if they need to ask whether or not their
computer has been compromised (not "hacked"; that's misuse of the word,
perpetuated by the misinformed), it probably has been; wipe the disk
and start over.

If you don't want to do that, you had better get to know your systems
quickly, and determine for yourself whether they're being used by an
intruder.

I hope that helps ...

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

This was the target computer log file

Jun 15 23:27:24 sshd[1238]: Illegal user pingnu from 81.178.1.21
Jun 15 23:27:45 sshd[1238]: Failed unknown for illegal user pingnu from
81.178.1.21 port 32807 ssh2
Jun 15 23:27:59 last message repeated 2 times
Jun 15 23:28:02 sshd[1243]: Illegal user pingnu from 81.178.1.21
Jun 15 23:28:18 sshd[1243]: Failed unknown for illegal user pingnu from
81.178.1.21 port 32808 ssh2
Jun 15 23:28:23 sshd[1243]: fatal: PAM: authentication thread exited
unexpectedly
Jun 15 23:28:49 sshd[1247]: Illegal user pingnu from 81.178.1.21
Jun 15 23:29:04 sshd[1247]: Failed unknown for illegal user pingnu from
81.178.1.21 port 32809 ssh2
Jun 15 23:29:43 sshd[1247]: Failed unknown for illegal user pingnu from
81.178.1.21 port 32809 ssh2
Jun 15 23:29:45 sshd[1247]: fatal: PAM: authentication thread exited
unexpectedly

My log files

Jun 16 01:12:06 router in.identd[6265]: reply to 127.0.0.1: 33182 , 25 :
USERID : OTHER :25
Jun 16 01:13:17 router in.identd[6282]: reply to 127.0.0.1: 33184 , 25 :
USERID : OTHER :25

Jun 16 01:12:07 router in.comsat[6268]: connect from 127.0.0.1

Jun 16 01:12:06 router sendmail[6263]: i5G0C6Zp006263: from=root, size=788,
class=0, nrcpts=1, msgid=<200406160012.i5G0C6Zp006263@router.pingnu.c om>,
relay=root@localhost
Jun 16 01:12:07 router sm-mta[6264]: i5G0C6SL006264:
from=<root@router.pingnu.com>, size=1064, class=0, nrcpts=1,
msgid=<200406160012.i5G0C6Zp006263@router.pingnu.c om>, proto=ESMTP,
daemon=MTA, relay=IDENT:25@localhost [127.0.0.1]

I do not have a user called pingnu but a group called pingnu the time
difference could be he is in France and I am i the UK and my clock is not
set exactly.


Regards Carl Parsons

Carl Parsons wrote:

> This was the target computer log file
>
> Jun 15 23:27:24 sshd[1238]: Illegal user pingnu from 81.178.1.21

Can I assume that 81.178.1.21 is your IP address?
(81-178-1-21.dsl.pipex.com) (frankly, the complaint should be going to
abuse@pipex.com...)

(more sshd logs trimmed)

> My log files

All mail-related logs. These aren't relevant to the ssh session(s) the
remote site is reporting.

Try last, w, who, and lastlog to get a sense of whether someone has been
accessing your system without proper permission. Note that if the
system *has* been compromised, you may not be able to trust the output
of these commands (for instance if the root account has been
compromised).

> I do not have a user called pingnu but a group called pingnu the time
> difference could be he is in France and I am i the UK and my clock is
> not set exactly.

The user name that someone is trying to use at the remote end isn't
necessarily going to be the username they're operating as on your end.
You need the other end to query your ident daemon, and let you know the
username it reports back for the ssh sessions.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------

Sylvain Robitaille wrote:


>
> All mail-related logs. These aren't relevant to the ssh session(s) the
> remote site is reporting.

I read that a specially crafted email "start up a few "yes 'root@0'"
I may have misunderstood the security it is about a DOS attack I was
thinking some email sent to root was connected.
>
> Try last, w, who, and lastlog
I must admit I have not used these.

I am just going to assume I have a root kit installed and start from scratch
again and it is nothing to do with comsat this is just informing me I have
email via biff.
I should install tripwire and so on in future and harden my site.

Carl Parsons wrote:

> I should install tripwire and so on in future and harden my site.

Most definitely, but that's only a tool. You have to use the tool (and
that means keep the database up to date), use it correctly (keep the
database off the system), and use it frequently.

--
----------------------------------------------------------------------
Sylvain Robitaille syl@alcor.concordia.ca

Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------