Telnet Attack

Dear managers,

it was stated that a telnet attack was started from a Solaris 10
machine I am responsible for. I doubt that. However, I got the
following log file:

Event Date Time, Destination IP, IP Protocol, Target Port, Issue
Description, Source Port, Event Count
EventRecord: 26 Aug 2007 02:26:37, 199.17.x.x, 6, 23, Telnet
, 50593, 1
EventRecord: 26 Aug 2007 02:26:27, 199.17.x.x, 6, 23, Telnet
, 50331, 2
EventRecord: 26 Aug 2007 02:26:17, 199.17.x.x, 6, 23, Telnet
, 50064, 2
EventRecord: 26 Aug 2007 02:26:07, 199.17.x.x, 6, 23, Telnet
, 49797, 2
EventRecord: 26 Aug 2007 02:25:57, 199.17.x.x, 6, 23, Telnet
, 49530, 2
EventRecord: 26 Aug 2007 02:25:50, 199.17.x.x, 6, 23, Telnet
, 49264, 1
EventRecord: 26 Aug 2007 02:25:47, 199.17.x.x, 6, 23, Telnet
, 49264, 1
EventRecord: 26 Aug 2007 02:25:40, 199.17.x.x, 6, 23, Telnet
, 49001, 1
EventRecord: 26 Aug 2007 02:25:37, 199.17.x.x, 6, 23, Telnet
, 49001, 1
EventRecord: 26 Aug 2007 02:25:27, 199.17.x.x, 6, 23, Telnet
, 48740, 2
EventRecord: 26 Aug 2007 02:25:17, 199.17.x.x, 6, 23, Telnet
, 48483, 2
EventRecord: 26 Aug 2007 02:25:07, 199.17.x.x, 6, 23, Telnet
, 48216, 2
EventRecord: 26 Aug 2007 02:24:57, 199.17.x.x, 6, 23, Telnet
, 47948, 2
...

Now I am sure that no legitimate user has been on this machine at this
time. I have blocked outgoing traffic on port 23 in the meanwhile.
However, I would like to either prove that the above record is
wrong/faked (not really coming from my machine) or find out which
process did that and who has started it. Since I am more a developer
than a sysadmin I am rather clueless what to do now. The machine is
running ipfilter.

ipmon -an

seems to give me an overview of the traffic that is going on. But I of
course see no current attempts to access any machine on port 23. Can I
configure ipfilter to give me the processId of the process that is
initiating outgoing traffic? What other tools can I use to figure out
what was going on yesterday night? The machine can be reached via ssh
(inbound), all other ports are blocked.

Hints are greatly appreciated!

Thanks a lot in advance!

Regards,

Andreas
_______________________________________________
sunmanagers mailing list
sunmanagers@xxxxxxxxxxxxxxx
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

Relevant Pages

  • Re: CUPS, Sarge/Debian/GNU/Linux and Mac OS X
    ... blocking port 631 on your linux box? ... # This is the CUPS configuration file. ... the access log file; if this does not start with a leading / ... determines whether the scheduler will allow new printers ...
    (Debian-User)
  • Re: Creating dynamic tunnels using bash script (cygwin/solaris)
    ... ssh solaris "command to figure out what port you want" ...
    (comp.security.ssh)
  • Re: FTP Send Port doesnt transmit messages!
    ... < 230 User TestSFTP logged in. ... retransmitted after the retry interval specified for this Send Port. ... The "FTP" adapter is suspending an outbound message going to destination ... The log file shows only the above text repeated three times!!! ...
    (microsoft.public.biztalk.general)
  • SUMMARY: NIC configuration problem with SunFire V480
    ... install both ce0 and ce1 cards in order to have at least one working ... the test I made was to put the cable in my RJ45 port of my ... laptop, I forced the laptop to be in "100Mbps, full duplex" and the laptop was ... We just received a splendid SunFire V480 here, and I have performed a Solaris ...
    (SunManagers)
  • New Solaris user, has networking questions...
    ... I'm assuming this is the best place to get some advice on Solaris 10 ... the only Ethernet port visible under ... ifconfig is the elxl0 port, which is the built-in motherboard port. ... If I "plumb" the system it detects the 3Com card, ...
    (comp.unix.solaris)