Re: tlug: /var/log/messages

[simon@example.com (Simon Cozens)]

Tony Laszlo (lists.tlug):
>To this layman, it looks like I have been hacked into 
>on a few occasions. I grepped around the log files 
>and found this. 
>
>Jun 12 18:56:10 net identd[2517]: Returned: 61258 , 21 : NO-USER
>Jun 12 18:57:44 net identd[2518]: Connection from 216.216.240.55

identd is a daemon which tells the remote server which user on
your server is making connections; I see this every ten minutes
when I check my mail:

Jun 30 13:36:38 othersideofthe identd[26146]: Connection from ian.nsms.net
Jun 30 13:36:38 othersideofthe identd[26146]: from: 194.207.26.8 ( ian.nsms.net ) for: 48817, 110
Jun 30 13:36:38 othersideofthe identd[26146]: Successful lookup: 48817 , 110 : simon.simon

That tells you that simon made a TCP connection to ian.nsms.net, which I
did by running fetchmail.

For some services, such as when you make an FTP connection to a remote
host, it returns NO-USER. It lists a couple of ports: the local port
which initiated the connection (61258) and the remote port, which is the
port that you connected to. (21) Port 21, if you look in /etc/services,
is the FTP service. 

Looks like you've been using FTP.

Incidentally, if you really are concerned about security (as you should be)
I'd highly recommend getting a copy of ippl, which will log all IP 
connections.

-- 
What happens if a big asteroid hits the Earth?  Judging from realistic
simulations involving a sledge hammer and a common laboratory frog, we
can assume it will be pretty bad. - Dave Barry
-----------------------------------------------------------------------
Next Technical Meeting: July 8 (Sat)  13:30  Place: LinuxProbe Hall
Next Nomikai meeting: August 18 (Fri) 19:00  Place: TBD
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan