From owner-freebsd-questions  Sat Feb 20 10:33:38 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from hyperhost.net (ether.lightrealm.com [207.159.132.5])
	by hub.freebsd.org (Postfix) with ESMTP id D4633118A0
	for <freebsd-questions@FreeBSD.ORG>; Sat, 20 Feb 1999 10:33:34 -0800 (PST)
	(envelope-from patseal@hyperhost.net)
Received: from port3.annex8.radix.net (port3.annex8.radix.net [205.252.108.3])
	by hyperhost.net (8.8.5/8.8.5) with ESMTP id NAA09046;
	Sat, 20 Feb 1999 13:33:16 -0500 (EST)
Date: Sat, 20 Feb 1999 13:33:09 -0500 (EST)
From: Patrick Seal <patseal@hyperhost.net>
To: Jose Carlos da Silva <jcds@brasmail.com.br>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: I've been hacked!
In-Reply-To: <199902201815.NAA00417@hyperhost.net>
Message-ID: <Pine.BSF.4.05.9902201331000.51938-100000@foobar.hyperhost.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I've read over man tcpd 3 times and can't seem to see host to log the ip
address.  Where else can I look?

Thanks!

------------------------------------ _____________________________________
Patrick Seal                        |"Microsoft isn't evil, they just make
<patseal@hyperhost.net>             |   really crappy operating systems."
Hyperhost - http://www.hyperhost.net| -Linus Torvalds
hosting and Design

http://www.freebsd.org - http://www.linux.org




On Sat, 20 Feb 1999, Jose Carlos da Silva wrote:

> Patrick, Em 20 Feb 99, voce escreveu:
> 
> > I am using the TCP wrappers, have root login disabled, and am running a
> > newly CVSUP'd 3.1-STABLE.  What I what to know is how to contact his/her
> > ISP.
> 
> You should find the IP address of the connection in your log files. 
> If you haven't enabled the full log files features of TCP WRAPPERS, 
> maybe you should check the TCP WRAPPERS documentation to enable the 
> logging of the IP address of each connection and wait until the next 
> try of the hacker.
> 
> Once you have the IP address, you should do a NSLOOKUP on it to get 
> the hostname including the domain name. If the IP address doesn't 
> have a reverse hostname available, you can try to use traceroute or 
> RWHOIS (http://www.rwhois.net) to discover from which network he is 
> trying to connect to your server. In general, it will be an ISP 
> (Internet Service Provider) used for dialup access.
> 
> Normally, complaints shoud be sent to addreses like abuse@domain.com 
> or security@domain.com, but it should be a good idea to checkout the 
> domain homepage to look for his 'Acceptable User Policy' and contact 
> email addresses.
> 
> In most of the cases, the maximum you will get is to cancel the 
> hacker dialup account, but he will think twice before trying to 
> attack you again.
> 
> Regards,
> 
> o-----------------( Jose Carlos da Silva )-----------------o
> | Administrador de Rede - WebMaster - jcds@brasmail.com.br |
> | ALLNET! Provedor Internet       http://www.allnet.com.br |
> | Brasmail Internet Services    http://www.brasmail.com.br |
> | Central Brasileira de Listas        http://www.listas.nu |
> | Sao Paulo - SP - Brasil             Fone: (011)3061-0088 |
> o----------------------------------------------------------o
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message