SUMMARY 2: HELP! Do I have an intruder?

From: Jack Jones (jack@mslab2.med.utah.edu)
Date: Thu Sep 30 1993 - 15:20:25 CDT


Nobody seams to have a clue as to what caused my strange ftp activity.
However three people replied to me after my first summary. All three
suggested that I install tcp-wrapper to monitor tcp requests. I installed
tcp-wrapper on one of our DECstations to monitor some strange things on
that system. This is a great package! I'm going to install it on our
suns. I haven't tried to install it on my Solaris2 machine so I don't
know how hard the port will be.

Many thanks to:
        Lack Mr G M <gml4410@ggr.co.uk>
        frankm@shadow.cna.tek.com (Frank 'Scruffy' Miller)
        mike@maxwell.as.utexas.edu (Michael Briley)

-Jack Jones
jack@medstat.med.utah.edu

#########################################################################
From: Lack Mr G M <gml4410@ggr.co.uk>

     Can't help you at all on what *caused* the messages. I can suggest
that you install tcp-wrappers. This would have allowed you to
(optionally) log where these calls came from, and disallow them based on
address/network of the caller.
#########################################################################
From: frankm@shadow.cna.tek.com (Frank 'Scruffy' Miller)

Jack, you might try a tcp wrapper or running a promiscous ethernet
process to see *where* the connection is coming from. From there
you can try finger @host to look at utmp and maybe contacting the
sysadmin to set up more tracking.

I'm still in 4.1.3 land ... so the tcp wrapper might not have
been ported to Sys V.
#########################################################################
From: mike@maxwell.as.utexas.edu (Michael Briley)

I'm sorry I missed your original post, but one other thing that you may
want to consider is installing front ends to your network daemons which
monitor any activity. I've set up my machine that way and it is very
nice to have the source of every outside connection logged.
An example from earlier today:

Sep 28 11:09:07 maxwell in.ftpd[15506]: Connect to in.ftpd from beernut1.as.utexas.edu

It was written by Wietse Venema, Eindhoven University of Technology,
The Netherlands. I've forgotten what archive I got this from, but I
could send you a copy.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:19 CDT