compromised?

dave d.eason at home.com
Mon Jun 4 04:43:34 PDT 2001 

I got a nifty little email from someone in a Japanese NOC when I woke up
today stating one of my server ip's were in their logs.  Let me paste so
I don't have to quote.   Paste will be at the bottom of this message.
Now, I checked my logs (which I don't do as often as I should) and I
noticed a lot of attempted logins from Japanese ip's via anonymous ftp
and telnet, all of which were denied.  I also see those same IP's trying
to view my webpages which are all password protected.  I know for a fact
it wasn't any of my users, so either they are misinterpreting their logs
or someone has gotten access to my machine.  As far as I can tell no one
has gotten in that wasn't supposed to, what should I be looking for to
make sure?  I'm also posting some logs from the system.
 
 
 
Jun  3 12:36:10 modemheads ftpd[21020]: ANONYMOUS FTP LOGIN FROM
211.208.194.227 [211.208.194.227], dd&@
Jun  3 12:36:16 modemheads ftpd[21020]: FTP session closed
 
Jun  3 19:15:45 modemheads ftpd[29242]: ANONYMOUS FTP LOGIN FROM
ns.njg.ac.jp [211.16.245.66], a at b.com
Jun  3 19:16:26 modemheads ftpd[29242]: FTP session closed
 
Jun  3 16:01:46 modemheads rhnsd[838]: Could not create pipe for forking
process; Too many open files   
Jun  3 16:30:21 modemheads sshd[22172]: Did not receive ident string
from 210.207.37.244.
Jun  3 16:30:24 modemheads ftpd[22298]: FTP session closed
Jun  3 23:30:39 modemheads ftpd[22682]: ANONYMOUS FTP LOGIN FROM
210.207.37.244 [210.207.37.244], guest at micros$
Jun  3 23:30:39 modemheads ftpd[22682]: FTP session closed
Jun  3 16:30:43 modemheads PAM_unix[22771]: check pass; user unknown
 
Jun  3 17:20:24 modemheads login[23706]: invalid password for `root' on
`pts/3' from `211.192.187.226'
Jun  3 17:20:42 modemheads last message repeated 2 times
Jun  3 17:20:42 modemheads login[23706]: REPEATED login failures on
`pts/3' from `211.192.187.226'
Jun  3 17:25:53 modemheads login[30330]: invalid password for `UNKNOWN'
on `pts/3' from `211.5.133.88'
Jun  3 17:31:46 modemheads rhnsd[838]: Could not create pipe for forking
process; Too many open files
Jun  3 17:40:30 modemheads sshd[19271]: Did not receive ident string
from 211.133.4.103.
 
Jun  4 00:41:59 modemheads ftpd[20899]: ANONYMOUS FTP LOGIN FROM
nttmygi02039.ppp.infoweb.ne.jp [211.133.4.103$
Jun  3 17:42:44 modemheads login[21835]: invalid password for `UNKNOWN'
on `pts/3' from `211.51.32.172' 
Jun  4 00:42:45 modemheads ftpd[20899]: FTP session closed
Jun  3 17:42:48 modemheads login[21835]: invalid password for `UNKNOWN'
on `pts/3' from `211.51.32.172'
Jun  3 17:42:52 modemheads login[21835]: invalid password for `UNKNOWN'
on `pts/3' from `211.51.32.172'
Jun  3 17:42:52 modemheads login[21835]: REPEATED login failures on
`pts/3' from `211.51.32.172'
Jun  3 17:43:16 modemheads login[23127]: invalid password for `UNKNOWN'
on `pts/3' from `nttmygi02039.ppp.info$
Jun  3 17:43:24 modemheads login[23127]: invalid password for `root' on
`pts/3' from `nttmygi02039.ppp.infowe
 
Jun  3 18:05:25 modemheads rshd[22804]: Connection from 211.10.72.240 on
illegal port
Jun  3 18:05:28 modemheads rlogind[22805]: Connection from 211.10.72.240
on illegal port
Jun  3 18:05:40 modemheads login[22991]: invalid password for `root' on
`pts/3' from `gw1.cybercity.ne.jp'
Jun  3 22:30:32 modemheads login[7635]: invalid password for `root' on
`pts/1' from `u001707.ueda.ne.jp'
Jun  3 22:30:42 modemheads login[7635]: invalid password for `UNKNOWN'
on `pts/1' from `u001707.ueda.ne.jp'
Jun  3 22:30:47 modemheads login[7635]: invalid password for `root' on
`pts/1' from `u001707.ueda.ne.jp'
Jun  3 22:30:47 modemheads login[7635]: REPEATED login failures on
`pts/1' from `u001707.ueda.ne.jp'
Jun  3 22:31:47 modemheads rhnsd[838]: Could not create pipe for forking
process; Too many open files
Jun  3 22:35:25 modemheads login[7637]: invalid password for `UNKNOWN'
on `pts/1' from `s211-49-118-49.thrunet$
Jun  4 05:36:34 modemheads ftpd[7638]: ANONYMOUS FTP LOGIN FROM
netsv.npn.gr.jp [210.190.67.82], guest at docomo.$
Jun  4 05:36:49 modemheads ftpd[7638]: FTP session closed
Jun  4 10:43:38 modemheads ftpd[7765]: ANONYMOUS FTP LOGIN FROM
zaqd37c15da.zaq.ne.jp [211.124.21.218], local@$
Jun  4 10:44:28 modemheads ftpd[7765]: FTP session closed
Jun  4 04:00:14 modemheads login[7773]: invalid password for `UNKNOWN'
on `pts/1' from `211.236.65.213'
Jun  4 04:00:27 modemheads login[7773]: invalid password for `UNKNOWN'
on `pts/1' from `211.236.65.213'
 
 
 
Hello ! My name is Naoki Matsutaka.
I am working by being a provider.
 
When performing a server's log check this morning,
access from modemheads.com was discovered.
It was the trace of the attack by TELNET and FTP
from modemheads.com.
 
 
It remained in a server's log as follows.
--------------------------
Jun  3 17:12:49 dev in.telnetd[1965]: refused connect from
modemheads.com Jun  4 11:39:04 dev in.telnetd[2287]: refused connect
from modemheads.com Jun  4 14:31:09 dev in.telnetd[2330]: refused
connect from modemheads.com Jun  4 17:23:07 dev in.telnetd[2371]:
refused connect from modemheads.com
 
Jun  4 22:47:51 dev in.ftpd[2448]: refused connect from modemheads.com
 
Jun  4 02:32:00 ns in.telnetd[17808]: refused connect from
modemheads.com Jun  4 02:32:00 ns in.telnetd[17809]: refused connect
from modemheads.com Jun  4 02:32:01 ns in.telnetd[17810]: refused
connect from modemheads.com Jun  4 05:24:06 ns in.telnetd[18067]:
refused connect from modemheads.com Jun  4 05:24:06 ns
in.telnetd[18068]: refused connect from modemheads.com Jun  4 05:24:06
ns in.telnetd[18069]: refused connect from modemheads.com Jun  4
08:16:04 ns in.telnetd[18222]: refused connect from modemheads.com Jun
4 08:16:04 ns in.telnetd[18223]: refused connect from modemheads.com Jun
4 08:16:04 ns in.telnetd[18224]: refused connect from modemheads.com
 
Jun  4 13:40:49 ns in.ftpd[19511]: refused connect from modemheads.com
Jun  4 13:40:49 ns in.ftpd[19512]: refused connect from modemheads.com
Jun  4 13:40:49 ns in.ftpd[19513]: refused connect from modemheads.com
 
--------------------------
 
I cannot understand why the user of modemhead.com
has to do TELNET to our host.
I want to give what such a lot of refused logs must be outputted to from
modemheads.com why, and satisfactory explanation.
 
Since your mail address had become administrative contact when the name
was investigated in Whois database, mail was transmitted.
 
I want to ask measure of you so that there may be no such thing.
 
bye-
 
Naoki Matsutaka -- support at yutopia.or.jp
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freesoftwarehawaii.org/pipermail/luau-freesoftwarehawaii.org/attachments/20010604/22458c03/attachment.htm>

More information about the LUAU mailing list