Most of the responses that I received said that my user had probably
either sent his password over insecure lines and it was sniffed, or that
my user had been targeted. Either way this lead us to tighten down
security with tcpd and more religious watching of our logs. Gregory
Coleman included this little bit of advice that others may be
interested in.
> My suggestions in this scenario:
>
> ==>Hit www.cert.com and follow their info about breakins.
> ==>Start monitoring that box assiduously. If you don't have
> /var/adm/loginlog in place, create it as such (as root):
>
> touch /var/adm/loginlog; chmod 600 /var/adm/loginlog
>
> ...this will log failed login attempts.
> ==>Run tcp-wrappers if you aren't already.
> ==>Provide ssh for your users.
> ==>Change the password on that account.
> ==>Run crack and find out if there are other weak passwords and change
> them.
> Hope that doesn't make you too paranoid, but it did it to me!
Michael Neef also told me about a recent security patch for in.telnet.
Patch number 106049-01.
Thanks for everyone that responded.
magi@csd.uwo.ca David Wiseman
scott@spy.org Scott D. Yelich
simon@iway.nl Simon Convey
rsnyder@eos.hitc.con Rich Snyder
coleman@library.ucsf.edu Gregory Coleman
steve@peachy.com Steve Kay
Micheal.Neef@neuroinformatik.ruhr-uni-bochum.de Michael Neef
Cheers,
Douglas Sean Hagan
shagan@hera.wku.edu
ACRS Unix Administration
Western Kentucky University
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:41 CDT