Re: still problem 'flooding'

In article <slrng73qid.1d43.read_the_sig@xxxxxxxxxxxxxx>,
jpd <read_the_sig@xxxxxxxxxxxxxxxxxxxxxx> wrote:

Begin <taglearc-1DF872.11520107072008@xxxxxxxxxxxx>
On Mon, 07 Jul 2008 11:52:01 +0200, taglearc <taglearc@xxxxxxxxxxxxxx> wrote:

So it seems that there are repeated attempts to connect via telnet (port
23?) from that box. Thing is, whilst there are two hundred or so
accounts on that box, only two have shell access: me, and the IT guy.

Any idea how to investigate this?

So how does your IT guy not know how to investigate this and why are you
and not he posting here?


I'll start by simply removing the telnet binary, but I need to know
if someone has managed to get shell access ... whether he/she (if
someone _has_ got in) has managed to crack root, etc ...

All one needs is the ability to run code that will open a connection to
a remote host at remote port 23 -- no need for root. It may be anything
from actual binaries to someone running a telnet servlet or (eg, php)
script, a shell using telnet or nc or whatever other binary that will
open a socket and lets you specify the target port, or whatnot.

So, fire up the usual inspection tools and find out what process opens
up those connections, who it belongs to, and find out what they're doing
and how they're doing it exactly.

This sort of thing would require someone knowledgeable on-site or at
the very least with remote access. As stated your question contains Not
Enough Information By Far to say anything more useful about it.

ISTR you were told something along those lines previously, too.

I know, I know. ISTR the same degree of aggression the last time, too
and I admit to still not understanding it. I installed this box a few
years ago whilst teaching there. At the time, I'd been out of IT for =~
five years, and had just enough knowledge to get it up and running. I
no longer work there, and the bloke who does IT is MS and knows little
about UNIX. Yeah, even less than me. :-|

Anyway, it's a crappy little website, but is 'important' in that a lot
of the students and former students have POP accounts with the name of
the school in it.

So ... could I ask, _please_ humour me, and give me some clues, like for
example what are the 'usual inspection tools' ? And ...

find out what process opens
up those connections, who it belongs to, and find out what they're doing
and how they're doing it exactly.

How? I don't need to be spoonfed (well, not much..). A man page would
be sufficient to be going on with.

Thanks.

--
taglearc
.

Relevant Pages

  • Re: Yes, trying to hack a remote control
    ... I attempted a telnet into that port, and it asked for a username/pass, ... and then upload a modified firmware to the remote. ... The latest versions of nmap have a feature whereby you can run scans ...
    (Security-Basics)
  • Re: still problem flooding
    ... So it seems that there are repeated attempts to connect via telnet (port ... a remote host at remote port 23 -- no need for root. ... fire up the usual inspection tools and find out what process opens ...
    (comp.unix.bsd.freebsd.misc)
  • Re: OWA-IE6 Access denied
    ... OWA works on port 443. ... you should get a blinking cursor if you run "telnet mail.mycompany.com 443" from a command prompt on the remote client. ... As this happened when you changed ISPs, and OWA still works from other locations, then the ISP should help you resolve it. ...
    (microsoft.public.windows.server.sbs)
  • Re: Yes, trying to hack a remote control
    ... I attempted a telnet into that port, and it asked for a username/pass, ... and then upload a modified firmware to the remote. ... The latest versions of nmap have a feature whereby you can run scans ...
    (Security-Basics)
  • telnet 110 not working
    ... I have users who's accounts were created long ago who cannot collect their ... To make a long story short, if I do a telnet to port 110 ... I have been over the user mailbox confurations a dozen times and if there's ...
    (microsoft.public.exchange.admin)