Date: Fri, 5 Feb 1999 10:53:29 -0700 From: John-David Childs <jdc@nterprise.net> To: security@FreeBSD.ORG Subject: Log Analysis for Feb 4 on host www.example.net Message-ID: <19990205105329.60781@denver.net>
next in thread | raw e-mail | index | archive | help
Two days ago I discovered that one of my machines was hacked. I've been seeing "[telnetd] ttloop: peer died" daily log entries like the one below for weeks, but I initially assumed that it was from one of the employees running WhatsUp Gold (whenever that program connects to port 23 and then disconnects, I get that same ttloop message). On Monday I began to get suspicious about the possibility of hackers, and the next day discovered that indeed the system was hacked (commands appeared via lastcomm as run by root from a tttyv device, yet no one was logged into the machine according to the last command (suggesting that a hacker/s wiped /var/log/wtmp, but not /var/account/acct) The only users who are allowed shell accounts on the system are four-six employees of the company. While the possibility that another system on the network (i.e. NT) was compromised and a password sniffer installed... do you know how/why I would see all these ttloop peer died messages from faraway locations to the telnet port? Is this typical of a root-kit'd FreeBSD telnetd? -----Forwarded message from Charlie Root <root@www.example.net>----- From: Charlie Root <root@www.example.net> Message-Id: <199902050902.CAA13399@www.example.net> Subject: Log Analysis for Feb 4 on host www.example.net Apparently-To: root@www.example.net Critical Events Authorization Events Authpriv events Daemon events Feb 4 01:24:14 www inetd[118]: telnet from 128.123.33.197 Feb 4 01:24:14 www inetd[118]: telnet from 128.123.33.197 Feb 4 01:24:19 www telnetd[8695]: ttloop: peer died: Undefined error: 0 Feb 4 04:04:28 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:04:28 www telnetd[11535]: ttloop: peer died: Undefined error: 0 Feb 4 04:04:28 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:50:44 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:50:44 www telnetd[12320]: ttloop: peer died: Undefined error: 0 Feb 4 04:50:44 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:54:27 www inetd[118]: telnet from 128.123.33.197 Feb 4 04:54:27 www telnetd[12383]: ttloop: peer died: Undefined error: 0 Feb 4 04:54:27 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:15:00 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:15:01 www telnetd[13968]: ttloop: peer died: Undefined error: 0 Feb 4 06:15:01 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:43:57 www inetd[118]: telnet from 128.123.33.197 Feb 4 06:43:57 www telnetd[14586]: ttloop: peer died: Undefined error: 0 Feb 4 06:43:58 www inetd[118]: telnet from 128.123.33.197 Feb 4 08:27:00 www inetd[118]: telnet from 206.19.202.81 Feb 4 08:31:02 www inetd[118]: telnet from 206.19.202.81 Feb 4 10:04:43 www inetd[118]: telnet from 206.19.202.105 Feb 4 10:17:16 www inetd[118]: telnet from 206.19.200.11 Feb 4 10:34:53 www inetd[118]: telnet from 206.19.202.81 Feb 4 10:46:33 www inetd[118]: telnet from 206.19.202.103 Feb 4 11:15:39 www inetd[118]: ftp from 166.93.82.58 Feb 4 11:16:32 www inetd[118]: ftp from 166.93.82.58 Feb 4 11:39:51 www inetd[118]: ftp from 206.19.201.9 Feb 4 11:40:29 www inetd[118]: telnet from 206.19.202.106 Feb 4 12:29:16 www inetd[118]: ftp from 206.19.202.81 Feb 4 12:30:34 www inetd[118]: ftp from 206.19.200.12 Feb 4 12:30:49 www inetd[118]: ftp from 206.19.200.12 Feb 4 12:32:18 www inetd[118]: ftp from 206.19.200.12 Feb 4 13:20:31 www inetd[118]: telnet from 206.19.202.81 Feb 4 13:41:08 www inetd[118]: ftp from 206.19.202.81 Feb 4 13:41:26 www inetd[118]: ftp from 206.19.202.81 Feb 4 13:52:03 www inetd[118]: ftp from 206.19.202.81 Feb 4 13:56:20 www inetd[118]: telnet from 206.19.202.81 Feb 4 16:20:09 www inetd[118]: ftp from 206.19.202.81 Feb 4 16:22:02 www inetd[118]: ftp from 206.19.202.105 Feb 4 16:46:50 www inetd[118]: telnet from 206.19.202.81 Feb 4 21:30:34 www inetd[118]: ftp from 206.214.78.149 -- John-David Childs (JC612) Enterprise Internet Solutions Systems Administration http://www.nterprise.net & Network Engineering 8707 E. Florida Ave #814 Denver, CO 80231 Losing your drivers' license is just God's way of saying "BOOGA, BOOGA!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990205105329.60781>