[NCLUG] I was hacked!

dobbster dobbster at frii.com
Fri Dec 29 13:33:47 MST 2000


Hi,

Maybe this is a little off the current thread, but I was wondering if I
am safe...

I run portsentry/hostsentry on my server, and I see that regular
attempts are made on various ports (111/portmapper, 1080, 143/imap).  I
am not too concerned about this, but I was wondering why they tend to
hit these particular ports?

Also - I have telnet disabled, but I do have in.ftpd running, and I need
to leave it on (and without ssh) for a handful of my Windows users.  My
logs show that FTP gets attacked pretty regularly, but anonymous FTP is
turned off.  I also have the inetd services running through tcpd, and
only specific networks are permitted to use FTP according to my
hosts.allow/hosts.deny.

Is this safe?  Can someone point me to an article which explains the FTP
bugs and what I might do to make things safer?

Another thing that seems weird is that I rsync our main server to a
machine on my DSL network (two different networks), using a root
.shosts.  When the attackers hit one machine, they tend to hit the other
as well.  This strikes me as odd; how would they know that I am
rsyncing?

Security is a serious pain in the ass.  It's hard to keep up with
everything.  I wish they'd go away and leave us alone!!!

Thanks,

Mark (dobbster at frii.com)



More information about the NCLUG mailing list