Re: tlug: /var/log/messages

[Jim Tittsler <jwt-tlug@example.com>]

On Fri, Jun 30, 2000 at 11:13:40AM +0900, Tony Laszlo wrote:
> My question: if this is an intruder, are there any 
> easy ways to find out what s/he is or has been doing in 
> there? 

No, this looks like it could be normal activity for the ident (auth) daemon
running on your machine.  ('man identd' or check RFC 1413)

> Jun 12 18:56:10 net identd[2517]: Returned: 61258 , 21 : NO-USER
> Jun 12 18:57:44 net identd[2518]: Connection from 216.216.240.55
> Jun 12 18:57:45 net identd[2518]: from: 216.216.240.55 ( 216.216.240.55 )
> for: 6
> 1265, 21

You may have done an FTP connection (port 21) to this machine and the
administrator there has configured his system to log who was running the
connecting FTP client.

Identd can be used by a system administrator as one means of identifying the
user (owner of a process) that has done something across the network. For
example, if you connect to my mail server, I may want to log not only the IP
address that the connection comes from, but also who seems to be running the
connecting process... so that if you did something bad and it you were from
a multi-user machine, I might have one more piece of information to use
when I talk with the system administrator of the offending machine.
Unfortunately, time has rather past by much of the usefulness of RFC 1413.

-- 
Jim Tittsler, Tokyo   ICQ: 5981586

-----------------------------------------------------------------------
Next Technical Meeting: July 8 (Sat)  13:30  Place: LinuxProbe Hall
Next Nomikai meeting: August 18 (Fri) 19:00  Place: TBD
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan